10 lines
670 B
Plaintext
10 lines
670 B
Plaintext
# Level1
|
|
|
|
Using ghidra, we can decompile the code and see that it fills a buffer of 76 bytes using the deprecated (unsafe) function `gets()`.
|
|
We can exploit this call to overflow the stack and call another function.
|
|
In the binary, there is a function `run()` located at address 0x8048444 that calls `system("/bin/sh")`.
|
|
To exploit this, we can use this sh command with this inline python script:
|
|
`(print('A'*76 + "\x44\x84\x04\x08"); cat) | ./level1`
|
|
This will print `run()`'s address to `eip`, after the buffer being written to by `gets()`, resulting in a call to the function.
|
|
The parenthesis and the `cat` are mandatory to make it blocking and keep the shell opened.
|