17 lines
1.0 KiB
Plaintext
17 lines
1.0 KiB
Plaintext
# Level5
|
|
|
|
Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets()`.
|
|
This buffer will then be passed directly as a parameter to `printf()`. This allows us to print whatever we want (e.g dump the stack, change variables).
|
|
Our goal here will be to change the value of the `jmp` of `exit()` to the address of `o()`, opening a shell.
|
|
|
|
To do so, we will first dump the stack to know where the buffer is located.
|
|
Let's print something basic like `print("AAAA" + "%x"*20)`. We can see that 0x41414141 (= "AAAA") is printed at the 4th position in the stack.
|
|
Now that we know where our buffer is located on the stack, let's exploit printf.
|
|
|
|
By using the `%n` flag, we can change the value of a variable to the length of what's been printed before (here, o's address).
|
|
Let's overwrite the GOT address of `exit()` by the address of `o()`.
|
|
We can get both addresses using gdb.
|
|
|
|
Putting these all together, here is the command:
|
|
`(python -c 'print "\x38\x98\x04\x08" + "%134513824p" + "%4$n"'; cat) | ./level5`
|