[io64][smashthestack] level5: noexecstack is not enough

As the header of the file states it, there is no way  to execute the stack. It also says ASLR is not enabled, but it happens that it is on a stack point of view… (you can check that with the dm command in radare2)

Looking at file sizes, it appears that level05 binary is quite huge for that small amount of C code:

Might it be statically linked to the libc ? Let’s check that with the list of exported symbols:

Neat ! now we need to find some piece of code which will call do_system:

Bingo ! we found a direct jump to do_system at 0x00401569.

Let’s try it 🙂 and see what we can do with that:

Good.

As you may know according to the X86_64 ABI, the first 6 parameters are passed respectively through, rdi, rsi, rdx, rcx, r8 and r9, the rest is passed to the stack.

So, as buf is the first argument of strcpy  there is a good chance rdi will point to our buffer when calling do_system. Let’s check that:

As expected rdi is already pointing to our buffer, now we need to provide “/bin/sh;”

The “;” is important as we have no mean to  write a null byte at the end of the string, the shell would interpret it as a termination character and will stop reading our arguments.

That obviously did not work 🙁  probably that our buffer gets overwritten somehow, let’s check:

Now we’re in do_system, and the buffer seems quiet fine at that point, let’s use a watchpoint:

Ok, we’ve found the instruction that breaks our call to system. Seems like we need to  move the stack pointer a bit. The only way I can think of is to modify our injected return address in order to jump to some pop instruction before a jmp/call do_system, let’s see what instructions are before the three previous do_system matches (0x00401569, 0x00401575, 0x00401599)

Luckily enough the first match is actually preceded by a pop instruction !

Let’s try returning there and check if we’ll  be overwriting our buffer again at a later instruction:

Owww yeah 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *