level5 and level6 done

2025-04-29 14:00:03 +02:00
parent 32cdde848f
commit fc40e2e002
5 changed files with 51 additions and 0 deletions
--- a/level6/walkthrough
+++ b/level6/walkthrough
@ -0,0 +1,9 @@
+# Level6
+
+Using ghidra, we can decompile the code and see that it calls `malloc` twice.
+The first malloc has a size of 64 bytes and is a buffer where the program will `strcpy(buf, av[1])`. The second one is a function pointer pointing to `m()` function by default (prints "Nope."). We want to change its value to point to the correct function `n()` that will open a shell.
+To achieve this, we will overflow the first malloc and the second one's header so that we can write the adress through the input in `av[1]`.
+To calculate the offset between the 2 allocations, we used gdb's breakpoints and prints, leading us to an offset of 72 bytes (64 + 8).
+
+Here is the command:
+./level6 $(python -c 'print "A"*72 + "\x54\x84\x04\x08"')