Home > Bash, Linux, SmashTheStack.Org, Wargames > [SmashTheStack – IO] Level 1 – Another one

[SmashTheStack – IO] Level 1 – Another one


Today, I’m going back to STS IO, trying to connect to level 1, and found that it changes different from the last time.

Well, after a while, I found the way around this one.

Level 1: (the very first, yet another)

Access to __/levels__ to run with the previous found password

$ cd levels
$ ./level01 omgpassword
Fail.

So, rolling on with (gdb) buddy.

level1@io:/levels$ gdb level01
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /levels/level01...(no debugging symbols found)...done.
(gdb) disas main
Dump of assembler code for function main:
0x08048596 <main+0>:    push   %ebp
0x08048597 <main+1>:    mov    %esp,%ebp
0x08048599 <main+3>:    sub    $0x18,%esp
0x0804859c <main+6>:    and    $0xfffffff0,%esp
0x0804859f <main+9>:    mov    $0x0,%eax
0x080485a4 <main+14>:   sub    %eax,%esp
0x080485a6 <main+16>:   cmpl   $0x2,0x8(%ebp)
0x080485aa <main+20>:   je     0x80485ca <main+52>
0x080485ac <main+22>:   mov    0xc(%ebp),%eax
0x080485af <main+25>:   mov    (%eax),%eax
0x080485b1 <main+27>:   mov    %eax,0x4(%esp)
0x080485b5 <main+31>:   movl   $0x8048760,(%esp)
0x080485bc <main+38>:   call   0x80483b8 <printf@plt>
0x080485c1 <main+43>:   movl   $0x0,-0x4(%ebp)
0x080485c8 <main+50>:   jmp    0x8048618 <main+130>
0x080485ca <main+52>:   call   0x804852d <pass>
0x080485cf <main+57>:   movl   $0x64,0x8(%esp)
0x080485d7 <main+65>:   mov    0xc(%ebp),%eax
0x080485da <main+68>:   add    $0x4,%eax
0x080485dd <main+71>:   mov    (%eax),%eax
0x080485df <main+73>:   mov    %eax,0x4(%esp)
0x080485e3 <main+77>:   movl   $0x80491a0,(%esp)
0x080485ea <main+84>:   call   0x80483a8 <mbstowcs@plt> // <-- blah blah
0x080485ef <main+89>:   movl   $0x8049140,0x4(%esp)
0x080485f7 <main+97>:   movl   $0x80491a0,(%esp)
0x080485fe <main+104>:  call   0x80483d8 <wcscmp@plt>  // <-- blah blah
0x08048603 <main+109>:  test   %eax,%eax
0x08048605 <main+111>:  jne    0x804860c <main+118>
0x08048607 <main+113>:  call   0x80484b4 <win>
0x0804860c <main+118>:  movl   $0x8048795,(%esp)
0x08048613 <main+125>:  call   0x80483e8 <puts@plt>
0x08048618 <main+130>:  mov    -0x4(%ebp),%eax
0x0804861b <main+133>:  leave
0x0804861c <main+134>:  ret
End of assembler dump.

Now there’s something for wide-character comparison.
The two values of comparing are stored in __0x8049140__ and __0x80491a0__.
Let’s dissect it by breakpoint at <main+104>

(gdb) b *main+104
Breakpoint 1 at 0x80485fe
(gdb) r qwert
Starting program: /levels/level01 qwert

Breakpoint 1, 0x080485fe in main ()
(gdb) x/s 0x80491a0
0x80491a0 <input>:       "q"

It stops here and I try to print value at __0x80491a0__ , only letter “q”??
Why is that so?
It’s because string are converted to wide-character string at <main+84>, where it calls: mbstowcs() — to convert. So instead of this: “S”, it will be “S000000000”.
I haven’t found any solution for printing wide-character string.
So just do printing each letter handily…

Breakpoint 1, 0x080485fe in main ()
(gdb) x/s 0x80491a0
0x80491a0 <input>:       "q"
(gdb) x/s input
0x71:    <Address 0x71 out of bounds>
(gdb) x/s &input
0x80491a0 <input>:       "q"
(gdb) x/s &input+1
0x80491a4 <input+4>:     "w"
(gdb) x/s &input+2
0x80491a8 <input+8>:     "e"
(gdb) x/s &input+3
0x80491ac <input+12>:    "r"
(gdb) x/s &input+4
0x80491b0 <input+16>:    "t"
(gdb) x/s &input+5
0x80491b4 <input+20>:    ""
(gdb) x/s &input+6
0x80491b8 <input+24>:    ""
(gdb) x/s &pw
0x8049140 <pw>:  "S"
(gdb) x/s &pw+1
0x8049144 <pw+4>:        "e"
(gdb) x/s &pw+2
0x8049148 <pw+8>:        "c"
(gdb) x/s &pw+4
0x8049150 <pw+16>:       "e"
(gdb) x/s &pw+5
0x8049154 <pw+20>:       "t"
(gdb) x/s &pw+6
0x8049158 <pw+24>:       "P"
(gdb) x/s &pw+7
0x804915c <pw+28>:       "W"
(gdb) x/s &pw+8
0x8049160 <pw+32>:       ""

Finally, get the stuff I need.

level1@io:/levels$ ./level01 SecretPW
Win!

You will find the ssh password for level2 in /home/level2/.pass
sh-4.1$ cat /home/level2/.pass
tLmf7msJTJHE**

Well done …

Cheers,

Pete Houston

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: