In this level we are presented with a connect 4 game written with ncurses. After playing a couple of times we find a combination to win: DHHDLLDHDDDLDD
Nothing happens though so lets fire up Hopper and take a look at the code. A good place to start is by analyzing the code around the you win and you lose exit strings and actually, after priting the you win string we can find an interesting piece of code before the call to exit()
This is an easy pwnable level but very interesting since there are many ways to exploit it so lets start checking the binary protections:
Not bad, ASLR and NX enabled and the stack is protected with a Canary. Lets analyze what does it do … Running the binary opens a socket in port 8888 which we can connect to and receive a menu with options to attack Doraemon:
Normally I play with the binary and try to get a crash which is simple in this case, but this time I decided to do some Reversing that payed off very well, I found the following vulnerabilities:
In this level we were presented with an ELF 64bits executable, a good oportunity to exercise linux exploiting on 64bits systems and try Hopper for the first time :)
When you run the binary, it begins listening in port 31415 (pi!) but if we try to connect, it complains about a missing user “gambino”. So we have to create the user. Once created, if we try to connect to the service we get nothing.