#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main(int argc, const char **argv) {
if (argc < 2) { printf("Fail. More Args...\n"); return 1; }
else {
setresuid(geteuid(),geteuid(),geteuid());
char buf2[4096];
char buf[16];
const char password[]="XXXXXXXXXXX";
strncpy(buf, argv[1], sizeof(buf) - 1);
if (strcmp(buf,password) != 0) {
printf("Wrong.\n");
return 1;
}
else {
strcpy(buf2,argv[2]);
printf("%s",buf2);
return 0;
}
}
}
We can see in the code that there are 2 buffers and a that the second buffer uses the insecure strcpy function. However, to get to this segment of code, we need to know the password. In order to get this I ran “strings” on the binary and was able to quickly pickout the password. Now if I run the program with the password, I can pass attempt to overflow the buffer.
$ ./level2 [removed] `python -c 'print "A" * 5000'`
I get a segmentation fault. We can see in gdb that we overwrite the eip with A’s.
 |
| overwrote eip |
Now all we need to do is craft up our basic exploit and get the key! :)
No comments:
Post a Comment