Level12
After accessing with level12 account, check the hint as follows.
In the source code, first, The program declares a local variable str array of 256 bytes size. Then grant permission level13 (3093) to attackme. It outputs a string “ Input a sentence. ”, receives a string with the get functions, prints the input string, and exists.
I analyze it using gdb.When I think about the structure of the stack, it seems to be the same as level11.To use RTL ( Return To Libc ), I check whether ASLR was done using ldd command.
As a result, I confirm that libc is not applied ASLR. All subsequent attack sequences are identical to level11. The address where /bin/sh is located and the address of the system function are also same. Level12 receives string input during program execution differently from level11, so I tried attack like the following, and as a result, I know the password of level13.
No comments:
Post a Comment