starnakin/42_rainfall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: bunch of improvements and typos in the walkthrough

Browse Source
This commit is contained in:
0x35c
2025-05-07 14:04:04 +02:00
parent ca011b34f4
commit fb1ba7aee8
11 changed files with 35 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
level5/walkthrough
View File

@ -1,7 +1,7 @@
# Level5
Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets`.
This buffer will then be passed directly as a parameter to `printf`. This allows us to print whatever we want (e.g dump the stack, change variables).
Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets()`.
This buffer will then be passed directly as a parameter to `printf()`. This allows us to print whatever we want (e.g dump the stack, change variables).
Our goal here will be to change the value of the `jmp` of `exit()` to the address of `o()`, opening a shell.
To do so, we will first dump the stack to know where the buffer is located.
@ -9,6 +9,8 @@ Let's print something basic like `print("AAAA" + "%x"*20)`. We can see that 0x41
Now that we know where our buffer is located on the stack, let's exploit printf.
By using the `%n` flag, we can change the value of a variable to the length of what's been printed before (here, o's address).
We can get both `jmp` instruction's address and `o`'s address using gdb.
Let's overwrite the GOT address of `exit()` by the address of `o()`.
We can get both addresses using gdb.
Putting these all together, here is the command:
`(python -c 'print "\x38\x98\x04\x08" + "%134513824p" + "%4$n"'; cat) | ./level5`