For expliotation 200 we were given a ELF 64-bit LSB executable. The binary takes a password as input, if we get the password right, setuid() and system() functions are called which will eventually print the flag from a file. Disassembly shows a series of movb instruction, writing some value into the stack at address range between $rbp-0x12 to $rbp-0x20
data = [0x64, 0x36, 0x34, 0x38, 0x37, 0x65, 0x36, 0x39, 0x62, 0x65, 0x38, 0x64, 0x38, 0x35, 0x31 ]
Then there is a loop which checks user input, against this value. By reading the value from $rbp-0x20 we get the password. Input the password and get the flag
// This is the loop 0x0000000000400783 <+177>: movl $0x0,-0x38(%rbp) 0x000000000040078a <+184>: jmp 0x4007c0 <main+238> 0x000000000040078c <+186>: lea -0x20(%rbp),%rdx 0x0000000000400790 <+190>: mov -0x38(%rbp),%eax 0x0000000000400793 <+193>: cltq 0x0000000000400795 <+195>: lea (%rdx,%rax,1),%rax 0x0000000000400799 <+199>: movzbl (%rax),%edx 0x000000000040079c <+202>: lea -0x30(%rbp),%rcx 0x00000000004007a0 <+206>: mov -0x38(%rbp),%eax 0x00000000004007a3 <+209>: cltq 0x00000000004007a5 <+211>: lea (%rcx,%rax,1),%rax 0x00000000004007a9 <+215>: movzbl (%rax),%eax 0x00000000004007ac <+218>: cmp %al,%dl 0x00000000004007ae <+220>: je 0x4007bc <main+234> 0x00000000004007b0 <+222>: mov $0x400920,%edi 0x00000000004007b5 <+227>: callq 0x400568 <puts@plt> 0x00000000004007ba <+232>: jmp 0x4007f5 <main+291> 0x00000000004007bc <+234>: addl $0x1,-0x38(%rbp) 0x00000000004007c0 <+238>: cmpl $0xf,-0x38(%rbp) 0x00000000004007c4 <+242>: jle 0x40078c <main+186> Breakpoint 1, 0x000000000040078c in main () (gdb) x/i $rip => 0x40078c <main+186>: lea -0x20(%rbp),%rdx (gdb) x/s $rbp-0x20 0x7fffffffe060: "d6487e69be8d851" $ ./level100 d6487e69be8d851 Congratulation, let me grab you content of key.txt YOUR KEY IS : e4783253f92332ddb7d30a24cd9d1541
No comments:
Post a Comment