iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
IO SmashtheStack Level01
  • Xin
    Posts: 3,251
    ----[IO SmashtheStack Level01

    Lets navigate to /levels and execute ./level01. We get the following response
     Usage: ./level01 <password>

    So if we type ./level01 awhawfat we get the response "fail"

    Lets open it in gdb to debug it.
    gdb ./level01


    We now disassemble it to view the program flow.
    (gdb) disass main
    Dump of assembler code for function main:
    0x080483f4 <main+0>:    lea    0x4(%esp),%ecx
    0x080483f8 <main+4>:    and    $0xfffffff0,%esp
    0x080483fb <main+7>:    pushl  -0x4(%ecx)
    0x080483fe <main+10>:   push   %ebp
    0x080483ff <main+11>:   mov    %esp,%ebp
    0x08048401 <main+13>:   push   %edi
    0x08048402 <main+14>:   push   %ecx
    0x08048403 <main+15>:   sub    $0x30,%esp
    0x08048406 <main+18>:   mov    %ecx,-0x20(%ebp)
    0x08048409 <main+21>:   movl   $0x80485c8,-0xc(%ebp)
    0x08048410 <main+28>:   mov    -0x20(%ebp),%eax
    0x08048413 <main+31>:   cmpl   $0x2,(%eax)
    0x08048416 <main+34>:   je     0x8048439 <main+69>
    0x08048418 <main+36>:   mov    -0x20(%ebp),%edx
    0x0804841b <main+39>:   mov    0x4(%edx),%eax
    0x0804841e <main+42>:   mov    (%eax),%eax
    0x08048420 <main+44>:   mov    %eax,0x4(%esp)
    0x08048424 <main+48>:   movl   $0x80485d4,(%esp)
    0x0804842b <main+55>:   call   0x804832c <printf@plt>
    0x08048430 <main+60>:   movl   $0x1,-0x1c(%ebp)
    0x08048437 <main+67>:   jmp    0x80484b2 <main+190>
    0x08048439 <main+69>:   mov    -0xc(%ebp),%eax
    ---Type <return> to continue, or q <return> to quit---
    0x0804843c <main+72>:   mov    $0xffffffff,%ecx
    0x08048441 <main+77>:   mov    %eax,-0x24(%ebp)
    0x08048444 <main+80>:   mov    $0x0,%al
    0x08048446 <main+82>:   cld
    0x08048447 <main+83>:   mov    -0x24(%ebp),%edi
    0x0804844a <main+86>:   repnz scas %es:(%edi),%al
    0x0804844c <main+88>:   mov    %ecx,%eax
    0x0804844e <main+90>:   not    %eax
    0x08048450 <main+92>:   lea    -0x1(%eax),%edx
    0x08048453 <main+95>:   mov    -0x20(%ebp),%ecx
    0x08048456 <main+98>:   mov    0x4(%ecx),%eax
    0x08048459 <main+101>:  add    $0x4,%eax
    0x0804845c <main+104>:  mov    (%eax),%ecx
    0x0804845e <main+106>:  mov    %edx,0x8(%esp)
    0x08048462 <main+110>:  mov    -0xc(%ebp),%eax
    0x08048465 <main+113>:  mov    %eax,0x4(%esp)
    0x08048469 <main+117>:  mov    %ecx,(%esp)
    0x0804846c <main+120>:  call   0x804830c <strncmp@plt>
    0x08048471 <main+125>:  test   %eax,%eax
    0x08048473 <main+127>:  jne    0x804849f <main+171>
    0x08048475 <main+129>:  movl   $0x80485ea,(%esp)
    0x0804847c <main+136>:  call   0x80482fc <puts@plt>
    0x08048481 <main+141>:  movl   $0x0,0x8(%esp)


    Look for <strncmp@plt> this is a string compare function obviously comparing our entry with the password. So lets put a breakpoint here. 
    /break *0x0804846c


    Then when we try run we get this
    (gdb) run pass
    Starting program&#58; /levels/level01 pass

    Breakpoint 1, 0x0804846c in main ()
    (gdb)


    Lets now try to examine the values of the addresses further by typing 

    (gdb) i r
    eax            0x80485c8        134514120
    ecx            0xbfffdec3       -1073750333
    edx            0xb      11
    ebx            0x249ff4 2400244
    esp            0xbfffdd00       0xbfffdd00
    ebp            0xbfffdd38       0xbfffdd38
    esi            0x8048510        134513936
    edi            0x80485d4        134514132
    eip            0x804846c        0x804846c &lt;main+120&gt;
    eflags         0x286    &#91; PF SF IF &#93;
    cs             0x73     115
    ss             0x7b     123
    ds             0x7b     123
    es             0x7b     123
    fs             0x0      0
    gs             0x33     51
    /code&#93;

    Standing for info registers&#46;
    We will now examine each address by typing 
    x/s address
    Eg
    &#91;code&#93;(gdb) x/s 0xbfffdec3
    0xbfffdec3&#58;      \"pass\"
    &#91;/code&#93;

    This is what we typed in to run the program, lets now examine other addresses&#46; 

    &#91;code&#93;(gdb) x/s 0x80485c8
    0x80485c8&#58;       \"omgpassword\"


    Here we get the password. So simple run the program
    ./level01 omgpassword
    And you will have completed it.

    Wasnt too hard was it ;)
    Xin
  • Null Set
    Posts: 112
    Too much hassle for such a short challenge, Xinapse. Try "strings level01" :P
  • Xin
    Posts: 3,251
    said:


    Too much hassle for such a short challenge, Xinapse. Try "strings level01" :P



    lol now thats annoying, oh well got the password anyway.
    Xin
  • schumbag
    Posts: 23
    what's the code ./level01 ??
    share that please :)
  • Xin
    Posts: 3,251
    said:


    what's the code ./level01 ??
    share that please :)



    The password? I just pretty much handfed it to you with this surely you can do it :p
    Xin
  • Null Set
    Posts: 112
    said:


    said:


    what's the code ./level01 ??
    share that please :)



    The password? I just pretty much handfed it to you with this surely you can do it :p


    I think he's referring to the source code. I think for Level 1, there is no source code in smashthestack. Try connecting to it using ssh and check for yourself. :)
  • schumbag
    Posts: 23
    i see :LOL maybe this impact my language too bad *ROFL
Add a Comment