[Root Me] Binary6

The goal of this challenge is to read the content of the hidden file .passwd

running ls -l

binary6@challenge02:~$ ls -l
total 16
-r-sr-x— 1 binary6cracked binary6 9658 May  4  2013 binary6
———- 1 binary6        binary6  367 May  4  2013 binary6.c

elf binary 6 has the set uid bit set so let’s exploit that,load the program in gdb and set a break point at main, and run the program with parameter argv[1] test

gdb$ b main
Breakpoint 1 at 0x80484fd: file binary6.c, line 6.
gdb$ run test

disassemble main, and lets investigate the following snippet

0x0804852c <+56>:    mov    DWORD PTR [esp],eax
0x0804852f <+59>:    call   0x8048430 <atoi@plt>
0x08048534 <+64>:    cmp    eax,DWORD PTR [esp+0x1c]
0x08048538 <+68>:    jne    0x8048548 <main+84>

we know atoi (*nptr) converts a string pointed by *nptr to integer for example   nptr -> “1234” then atoi gives 1234,

so at call   0x8048430 <atoi@plt>

the first item on the stack will be nptr, so lets set a break at atoi

gdb$ b *0x0804852f

check the top of the stack , we can guess that it points to a string rgar will be converted to an integer

gdb$ x/1wx $esp

0xbffffc70:     0xbffffe67

lets examine this memory location “0xbffffe67”

gdb$ x/1s 0xbffffe67
0xbffffe67:      “test”

gr8 so this is our Input , next statment is compare

0x08048534 <+64>:    cmp    eax,DWORD PTR [esp+0x1c]

eax contains the return value of the atoi which will be 0 as atoi(test) gives 0 check atoi man page if you are confused about this !

so the value inside this memory location is our pass to get the shell “esp+0x1c

gdb$ print /x $esp+0x1c
$1 = 0xbffffc8c

lets check the contents of this memory location

gdb$ x/1wx 0xbffffc8c
0xbffffc8c:     0x00000008

so as easy as that its the number 8,so this is pretty easy run the program again with argv[1]=8 so atoi (“8”)=8

and cmp 8,8

sets the zero flag which will jmp to the /bin/sh statment giving us a shell ,then get the value of .passwd

Advertisements