Level19
After logging in with level19 account, check the hint as follows.
A BOF vulnerability exists because it is a gets function that does not check the length of the input string. I used gdb to analyze the code.
The size allocated for memory space is 40 bytes.
If you try to use BOF attack with this information, the shell will run with level19 permissions instead of level20 permissions.
I execute setreuid(3100,3100) and system(“/bin/sh”) to execute a level20 shell.
To this, I use Chaining RTL. The following diagram illustrates the stack.
First, I find the address of system() and setreuid().
I use objdump to find pop - pop - ret as follows.
Finally I use the code that using in level11 to find the address of /bin/sh.
After compiling the above code and executing the program, I find the address of /bin/sh.
Now, I have all the values i need, I type the payload.
As a result, I execute level20 shell.
No comments:
Post a Comment