To confirm that it’s buffer overflow vulnerability we fuzz it by entering a large input(larger than the 32 bytes reserved for buffer).
And it seems we were right about the buffer overflow vulnerability.
Now we pump up gdb, and try to figure out what we can do. First of all we study the disassembly.
So we’ll be following the following steps:
Set a breakpoint just after the call to strcpy() in the function gates_of_arija(). The address 0x08048600 seems perfect.
Run the binary with a input within the bounds of buffer. The execution will break at the break point.
Examine the stack entries near this breakpoint. Looking for 0x08048690 , which is the default return address ie. the address of the next instruction in main() after gates_of_arija() has been called.
We can see the A’s as the many \x41 values in the stack. We can see that our buffer starts from 0xffffdbd0. We can also see the return address we were looking for, a few DWORDS later at 0xffffdbfc. We then find the offset of this return address from the start of our buffer.
Now we have to design our payload. We want the function to return to spawn_shell() function instead of 0x08048690. So we’ll design the payload such that we overwrite the return address with 0x0804858b which is the starting address of the spawn_shell() function as seen in the disassembly. The first 44 bytes of the payload can be anything(let’s keep it a bunch of A’s). The next 4 bytes will be the 0x0804858b in little endian format, which is just the address written backwards 2 bits at a time. Also since many of the bytes are can’t be typed as characters, we’ll use the python -c switch to send our payload as an argument to the program.
Thus the final exploit looks like
What!!! How did that happen. We should have had the level7 shell, instead we have level6. I thought a lot about why that would happen, and figured out that when we are running the binary through gdb it does not run with the permission of the owner(which is level7), instead it runs with level6 permission. So now all we have to do is use our exploit, without gdb.
And Voila! We have level7 shell which we can use to read the level7 password. I am not revealing the password here so that the readers try the challenge on their own.
The levels seem to be getting tougher and more enjoyable :) .