Posted on February 3, 2017 as Overthewire.
What about another challenge in reverse engineering? Anywhere, anytime!
As always, let's start from viewing the source code.
Okay, now let's run it.
As in the source code, we see that if argument is not passed, then usage instructions are printed, otherwise value of argument is printed on the next line. In addition, source code gives us information that char buf is 128 bytes in size. Let's try to trigger the segmentation fault.
Hmm, that's interesting. After trying different amounts of A letters, I've noticed that by writing 140 of them, we will get Illegal instruction message, but 141 letters end up with our desired Segmentation fault. Maybe gdb will tell us something more?
Firstly let's investigate the illegal instruction option.
Unfortunately after doing some research I've found out that SIGILL won't help us much. What we have to try is to overwrite the instruction pointer.
Luckily, adding only 3 more A's overwrote the pointer. But here comes another problem, what is its address?
We can try to find out by writing around B's at the end. Let's see.
Great! EIP address is 0xffffd8b3. Now we have to find a way to use shellcode from previous challenge. But firstly, let's find its length.
25 bytes. As our string have to be 144 bytes in length, I'll firstly write 112 bytes of A letters, then 25 bytes of our shellcode and then overwrite the EIP with memory address somewhere in the middle of A's. Let's try it out!
Great, we can see that even with the shellcode B's overwrote the EIP. Now let's try it with the actuall address - somewhere in the middle of the A letters. Maybe 0xffffd863?
And we've got the password to the next level!
The challenge was awesome, but really time consuming. It was worth every minute as I learned a lot from trying out these different ways to finish this level. Thanks OverTheWire!