[Root Me] Binary6

The goal of this challenge is to read the content of the hidden file .passwd

running ls -l

binary6@challenge02:~$ ls -l
total 16
-r-sr-x— 1 binary6cracked binary6 9658 May  4  2013 binary6
———- 1 binary6        binary6  367 May  4  2013 binary6.c

elf binary 6 has the set uid bit set so let’s exploit that,load the program in gdb and set a break point at main, and run the program with parameter argv[1] test

gdb$ b main
Breakpoint 1 at 0x80484fd: file binary6.c, line 6.
gdb$ run test

disassemble main, and lets investigate the following snippet

0x0804852c <+56>:    mov    DWORD PTR [esp],eax
0x0804852f <+59>:    call   0x8048430 <atoi@plt>
0x08048534 <+64>:    cmp    eax,DWORD PTR [esp+0x1c]
0x08048538 <+68>:    jne    0x8048548 <main+84>

we know atoi (*nptr) converts a string pointed by *nptr to integer for example   nptr -> “1234” then atoi gives 1234,

so at call   0x8048430 <atoi@plt>

the first item on the stack will be nptr, so lets set a break at atoi

gdb$ b *0x0804852f

check the top of the stack , we can guess that it points to a string rgar will be converted to an integer

gdb$ x/1wx $esp

0xbffffc70:     0xbffffe67

lets examine this memory location “0xbffffe67”

gdb$ x/1s 0xbffffe67
0xbffffe67:      “test”

gr8 so this is our Input , next statment is compare

0x08048534 <+64>:    cmp    eax,DWORD PTR [esp+0x1c]

eax contains the return value of the atoi which will be 0 as atoi(test) gives 0 check atoi man page if you are confused about this !

so the value inside this memory location is our pass to get the shell “esp+0x1c

gdb$ print /x $esp+0x1c
$1 = 0xbffffc8c

lets check the contents of this memory location

gdb$ x/1wx 0xbffffc8c
0xbffffc8c:     0x00000008

so as easy as that its the number 8,so this is pretty easy run the program again with argv[1]=8 so atoi (“8”)=8

and cmp 8,8

sets the zero flag which will jmp to the /bin/sh statment giving us a shell ,then get the value of .passwd

Advertisements

2 thoughts on “[Root Me] Binary6

  1. Hello,

    you’ve published several solutions to Root-Me’s challenges.
    As it’s written in the legal disclaimer, documents published on the site are covered by copyrights. Any retaking is conditioned to the respect of the intellectual property considering the authors and assignees.

    That’s why the publishing of solutions, with a free access outside of the portal, is not allowed.

    So, we ask you to remove this content.
    If it’s not the case in a delay of 7 days, we will lock your account on our portal.

    Root-Me already offers you to share solutions with other players directly on the website but respectfully for those who didn’t validate challenges.
    These rules are here in order to keep an user-friendly and emulating spirit and to learn infosec together with fun.

    You can find more infos at:
    http://www.root-me.org/en/Informations/Legal-Disclaimer/
    http://www.root-me.org/en/breve/Public-solutions-and-cheating

    Thank you in advance for your action,
    Faithfully,
    Root-Me team

    Like

  2. Hello,

    we have detected that you’ve published several solutions to Root-Me’s challenges in this blog.

    As it’s written in the legal disclaimer, documents published on the site are covered by copyrights. Any retaking is conditioned to the respect of the intellectual property considering the authors and assignees.

    That’s why the publishing of solutions, with a free access outside of the portal, is not allowed.

    So, we ask you to remove this content.
    If it’s not the case in a delay of 7 days, we will lock your account on our portal.

    Root-Me already offers you to share solutions with other players directly on the website but respectfully for those who didn’t validate challenges.
    These rules are here in order to keep an user-friendly and emulating spirit and to learn infosec together with fun.

    You can find more infos at:
    http://www.root-me.org/en/Informations/Legal-Disclaimer/
    http://www.root-me.org/en/breve/Public-solutions-and-cheating

    Thank you in advance for your action,
    Faithfully,

    Root-Me team

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s