'Wargame/Vortex.overthewire.org'에 해당하는 글 3건


 
Category : System hacking

 

Level 2

Level Goal:
Create a special tar file
Helpful Reading Material
GNU tar manual
Code listing (level2.c)
 1 #include <stdlib.h>
 2 #include <stdio.h>
 3 #include <sys/types.h>
 4 
 5 
 6 int main(int argc, char **argv)
 7 {
 8         char *args[] = { "/bin/tar", "cf", "/tmp/ownership.$$.tar", argv[1], argv[2], argv[3] };
 9         execv(args[0], args);
10 }

Summary : socket programming , little endian , sum all receive data and send back

'Wargame > Vortex.overthewire.org' 카테고리의 다른 글

Vortex overthewire level2  (0) 2011.07.17
Vortex overthewire level1  (0) 2011.07.17
Vortex overthewire level0  (0) 2011.07.17

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret

Category : System hacking

 

Level 1

Canary Values
We are looking for a specific value in ptr. You may need to consider how bash handles EOF..
Reading Material
Smashing the Stack for Fun and Profit
Code listing (level1.c)
 1 #include <stdlib.h>
 2 #include <unistd.h>
 3 #include <string.h>
 4 #include <stdio.h>
 5 
 6 
 7 #define e(); if(((unsigned int)ptr & 0xff000000)==0xca000000) { setresuid(geteuid(), geteuid(), geteuid()); execlp("/bin/sh", "sh", "-i", NULL); }
 8 
 9 void print(unsigned char *buf, int len)
10 {
11         int i;
12 
13         printf("[ ");
14         for(i=0; i < len; i++) printf("%x ", buf[i]); 
15         printf(" ]\n");
16 }
17 
18 int main()
19 {
20         unsigned char buf[512];
21         unsigned char *ptr = buf + (sizeof(buf)/2);
22         unsigned int x;
23 
24         while((x = getchar()) != EOF) {
25                 switch(x) {
26                         case '\n': print(buf, sizeof(buf)); continue; break;
27                         case '\\': ptr--; break; 
28                         default: e(); if(ptr > buf + sizeof(buf)) continue; ptr++[0] = x; break;
29                 }
30         }
31         printf("All done\n");
32 }

Summary
 : socket programming , little endian , sum all receive data and send back


'Wargame > Vortex.overthewire.org' 카테고리의 다른 글

Vortex overthewire level2  (0) 2011.07.17
Vortex overthewire level1  (0) 2011.07.17
Vortex overthewire level0  (0) 2011.07.17

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret
Category : System hacking

Level 0

Level Goal:
Your goal is to connect to port 5842 on vortex.labs.overthewire.org and read in 4 unsigned integers in host byte order. Add these integers together and send back the results to get a username and password for level 1.
Note: that vortex is on an x86 machine (meaning, a little endian architecture)
Helpful Reading Material
C Programming Introduction
Network Programming Tutorial

Summary : socket programming , little endian , sum all received data and send back


문제에서 요구하는것은 vortex.labs.overthewire.org:5842에 접속하여 4개의 unsigned integers(little endian)를 받고 , 합하여 재전송해주는 것이다.
이를 python script로 작성해 문제를 해결한다.

script가 해야하는 동작을 순서대로 나열해보면

1) Connect
2) Receive * 4
3) Sum
4) Send

위와 같이 간단하다.
하지만 주의할 점은 server에서 little endian byte order에 따라 unsigned integer을 전송해주기 때문에 data를 수신하거나 전송할때에 struct 모듈을 이용하여 자료형을 맞춰주어야 한다.

[pwn3r@localhost io]$ cat exploit.py
#!/usr/bin/python 

from socket import * 
import struct 

HOST = "vortex.labs.overthewire.org" 
PORT = 5842 
data = 0 

print "[!] Exploit started !" 

s = socket(AF_INET , SOCK_STREAM) 
s.connect((HOST , PORT)) 

print "[+] Connected to server!" 

for i in range(4): 
tmp = struct.unpack("<l" , s.recv(4))[0] 
print "[+] Received : " + str(tmp) 
data += tmp 

print "[+] Sum of data is : " + str(data) 

data = struct.pack("<l" , data) 

print "[!] Sending data" 
s.send(data)
 
key = s.recv(1024) 
print "[+] Key : " + key 

s.close() 

[pwn3r@localhost io]$ python exploit.py
[!] Exploit started ! 
[+] Connected to server! 
[+] Received : 514893279 
[+] Received : 449990647 
[+] Received : 866074304 
[+] Received : 1362899077 
[+] Sum of data is : 3193857307
 
[!] Sending data 
[+] Key : Username: vortex1 Password: Gq#qu3bF3

vortex1 user의 password를 획득했다.

'Wargame > Vortex.overthewire.org' 카테고리의 다른 글

Vortex overthewire level2  (0) 2011.07.17
Vortex overthewire level1  (0) 2011.07.17
Vortex overthewire level0  (0) 2011.07.17

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret