Level four :
|
1 2 3 4 |
level4@leviathan:/wargame$ ./level4 Enter the password> lol bzzzzzzzzap. WRONG level4@leviathan:/wargame$ |
It looks like the second challenge, but, let’s have a closer look to the inside :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
(gdb) disassemble main Dump of assembler code for function main: 0x08048523 : lea 0x4(%esp),%ecx 0x08048527 : and $0xfffffff0,%esp 0x0804852a : pushl 0xfffffffc(%ecx) 0x0804852d : push %ebp 0x0804852e : mov %esp,%ebp 0x08048530 : push %ecx 0x08048531 : sub $0x44,%esp 0x08048534 : mov 0x8048757,%eax 0x08048539 : mov %eax,0xfffffff1(%ebp) 0x0804853c : movzwl 0x804875b,%eax 0x08048543 : mov %ax,0xfffffff5(%ebp) 0x08048547 : movzbl 0x804875d,%eax 0x0804854e : mov %al,0xfffffff7(%ebp) 0x08048551 : mov 0x804875e,%eax 0x08048556 : mov %eax,0xffffffe7(%ebp) 0x08048559 : mov 0x8048762,%eax 0x0804855e : mov %eax,0xffffffeb(%ebp) 0x08048561 : movzwl 0x8048766,%eax 0x08048568 : mov %ax,0xffffffef(%ebp) 0x0804856c : mov 0x8048768,%eax 0x08048571 : mov %eax,0xffffffe0(%ebp) 0x08048574 : movzwl 0x804876c,%eax 0x0804857b : mov %ax,0xffffffe4(%ebp) 0x0804857f : movzbl 0x804876e,%eax 0x08048586 : mov %al,0xffffffe6(%ebp) 0x08048589 : mov 0x804876f,%eax 0x0804858e : mov %eax,0xffffffd9(%ebp) 0x08048591 : movzwl 0x8048773,%eax 0x08048598 : mov %ax,0xffffffdd(%ebp) 0x0804859c : movzbl 0x8048775,%eax 0x080485a3 : mov %al,0xffffffdf(%ebp) 0x080485a6 : mov 0x8048776,%eax 0x080485ab : mov %eax,0xffffffcf(%ebp) 0x080485ae : mov 0x804877a,%eax 0x080485b3 : mov %eax,0xffffffd3(%ebp) 0x080485b6 : movzwl 0x804877e,%eax 0x080485bd : mov %ax,0xffffffd7(%ebp) 0x080485c1 : lea 0xffffffd9(%ebp),%eax 0x080485c4 : mov %eax,0x4(%esp) 0x080485c8 : lea 0xffffffe0(%ebp),%eax 0x080485cb : mov %eax,(%esp) 0x080485ce : call 0x804835c 0x080485d3 : test %eax,%eax 0x080485d5 : jne 0x80485de 0x080485d7 : movl $0x1,0xfffffff8(%ebp) 0x080485de : movl $0x8048742,(%esp) 0x080485e5 : call 0x80483bc 0x080485ea : call 0x8048484 0x080485ef : add $0x44,%esp 0x080485f2 : pop %ecx 0x080485f3 : pop %ebp 0x080485f4 : lea 0xfffffffc(%ecx),%esp 0x080485f7 : ret ---Type to continue, or q to quit---q Quit |
After isolation of the important instructions :
|
1 2 3 |
0x080485ce : call 0x804835c 0x080485d3 : test %eax,%eax 0x080485d5 : jne 0x80485de |
I used brake points :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
reakpoint 1 at 0x804835c (gdb) r Starting program: /wargame/level4 Breakpoint 1, 0x0804835c in strcmp@plt () (gdb) s Single stepping until exit from function strcmp@plt, which has no line number information. 0xb7f1eec0 in strcmp () from /lib/tls/i686/cmov/libc.so.6 (gdb) s Single stepping until exit from function strcmp, which has no line number information. 0x080485d3 in main () (gdb) s Single stepping until exit from function main, which has no line number information. Enter the password> test |
Let’s have a closer look to $esp
|
1 2 3 4 |
(gdb) x/2x $esp 0xbffff8bc: 0x080484e6 0xbffff8dd (gdb) x/s 0xbffff8dd 0xbffff8dd: "test\n" |
This was the password I typed in, let’s see further
|
1 2 3 4 5 |
(gdb) x/3x $esp 0xbffff8bc: 0x080484e6 0xbffff8dd 0xbffff9dd (gdb) x/s 0xbffff9dd 0xbffff9dd: "snlprintf\n" (gdb) |
Seems like we got our answer.
let’s try the password :
|
1 2 3 4 |
level4@leviathan:/wargame$ ./level4 Enter the password> snlprintf [You've got shell]! sh-3.1$ |
Next Level.
Post a Comment