level7: few fixes on the source code and walkthrough complete

level7/source.c

@@ -14,18 +14,18 @@ void m(void)
 	return;
 }
 
-int32_t main(int32_t ac, char **av)
+int main(int ac, char **av)
 {
-	int32_t *str = malloc(8);
+	int *s1 = malloc(8);
-	str[0] = 1;
+	s1[0] = 1;
-	str[1] = malloc(8);
+	s1[1] = malloc(8);
 
-	int32_t *str2 = malloc(8);
+	int *s2 = malloc(8);
-	str2[0] = 2;
+	s2[0] = 2;
-	str2[1] = malloc(8);
+	s2[1] = malloc(8);
 
-	strcpy(str[1], av[1]);
+	strcpy(s1[1], av[1]);
-	strcpy(str2[1], av[2]);
+	strcpy(s2[1], av[2]);
 	fgets(c, 68, fopen("/home/user/level8/.pass", "r"));
 	puts("~~");
 	return 0;

level7/walkthrough

@@ -0,0 +1,12 @@
+# Level7
+
+Using ghidra, we can decompile the code and see that it allocates 2 variables (s1 and s2), dereferences these and allocates both pointers.
+It will then `strcpy()` the content of av[1] and av[2] to s1[1] and s2[1], exposing the program to a buffer overflow.
+After that, the program opens a file stream on `/home/user/level8/.pass` and writes its content to the global buffer `c[80]`. This buffer is also used in an external function `m()` that will print the content of c.
+Finally, we have a call to `puts("~~")` that we're going to use to call the function `m()` instead of printing its string.
+In order to do this, we have to overwrite the GOT at the address of `puts()` and replace it by the address of `m()`.
+Remember we have 2 pointer dereferences, we're going to use this to write what we want at the address we want.
+Basically, we need to overflow `s1` until `s2`, then write the GOT address of `puts()` into `s2 + 4` (since it dereferences `s2` at `s2[1]`) through the 1st `strcpy()` (copying `av[1]`). What will happen is that the 2nd `strcpy()` will copy the content of `av[2]` (e.g., the address of `m()`) to the address of `s2[1]`, which now equals to the GOT address of `puts()`.
+
+Here is the command:
+`./level7 $(python -c 'print "A"*20 + "\x28\x99\x04\x08"') $(python -c 'print "\xf4\x84\x04\x08"')`