14 lines
1.3 KiB
Plaintext
14 lines
1.3 KiB
Plaintext
# Level8
|
|
|
|
Using ghidra, we can decompile the code and see that it loops on a `fgets()` and does a bunch of `memcmp()` with its buffer.
|
|
First of all, we have 2 global variables, `char *auth` and `int service`. Also, we have 3 local buffers (`s`, `v5` and `v6`) with respective sizes of 5, 2 and 129.
|
|
We can see that they are being changed in 2 different `if memcmp()`.
|
|
The first one is when we input `"auth "`. It will allocate 4 bytes to `auth`, then set `auth[0]` to 0.
|
|
The second one is when we input `"service"`. It will `strdup()` the content of `v6` (a random buffer on the stack) to `service`. This is interesting because we can overflow the first buffer `s` (through `fgets(s, 128, stdin)`)until we reach `v6`, thus allowing us to write whatever we want to service. Since `service` is an int, it will overflow to the next variable, which is `char *auth`.
|
|
To make this vulnerability useful, let's see the last `memcmp()`.
|
|
This last `if memcmp()` is triggered with the input `"login"`. It then has an `if/else`, that will open a shell (what we want) in case `auth[32] != 0`.
|
|
Here comes the interesting part, remember we could overflow on `auth` through the `strdup` on `service`.
|
|
|
|
Here's the full exploit:
|
|
`(python -c 'print "auth \nservice" + "A" * 34 + "\n" + "login\n"'; cat) | ./level8`
|