Friday, July 1, 2016

Exploit Exercises - nebula level13

Exploit Exercises - nebula level13




The program expects a UID 1000.



Let's debug it in gdb. Put a breakpoint at main() so we can analyze the program flow first.



The program will compare the UID of the user who is running flag13 (1014) with the UID it expects (1000). This is done by CMP call at main+48 - address 0x80484f4.



Put a breakpoint at CMP & continue till the breakpoint is hit.




At this point, we find that UID value (1014) is stored in $eax register. We can change the value to UID 1000, so when CMP call is executed next, UIDs will match, and we will get the token.



Log in as flag13 using the token value and getflag.


+++++

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.