14 lines
1.2 KiB
Plaintext
14 lines
1.2 KiB
Plaintext
# Level2
|
|
|
|
Using ghidra, we can decompile the code and see that it fills a buffer of 76 bytes using the deprecated (unsafe) function `gets`.
|
|
Then, it will check if the return address hasn't been overwritten to and thus prevent us to exploit this vulnerability...
|
|
Since it calls `strdup` at the end of the program, we can insert a piece of code executing a linux shell through asm instructions. This will be copied to the heap, and since the ASLR is disabled, the address of where `strdup` will copy the content of the buffer will always be the same (we can find it using `ltrace ./binary`).
|
|
|
|
For the payload, everything is explained here (thanks cocomelonc UwU):
|
|
https://cocomelonc.github.io/tutorial/2021/10/09/linux-shellcoding-1.html
|
|
|
|
We can then execute this command (similar to the previous one):
|
|
`(python -c 'print "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A" * 55 + "\x08\xa0\x04\x08"' ; cat) | ./level2`
|
|
Where we copy our linux shell code to the heap, then fill the buffer until after `eip`.
|
|
Finally, we can insert the address where our code has been copied so it will be executed when the `return` instruction is called.
|