| .. | ||
| flag | ||
| README.md | ||
Lors de l'arriver sur le level13 je remarque le fichier level13
ls -l level13
-rwsr-sr-x 1 flag13 level13 7303 Aug 30 2015 level13
Et je remarque egallement que c'est du C
ltrace ./level13
__libc_start_main(0x804858c, 1, 0xbffff7f4, 0x80485f0, 0x8048660 <unfinished ...>
getuid() = 2013
getuid() = 2013
printf("UID %d started us but we we expe"..., 2013UID 2013 started us but we we expect 4242
) = 42
exit(1 <unfinished ...>
+++ exited (status 1) +++
en le lancant (plus proprement), il attente l'UID 4242
level13@SnowCrash:~$ ./level13
UID 2013 started us but we we expect 4242
Voici le code de la fonction main
0804858c <main>:
804858c: 55 push ebp
804858d: 89 e5 mov ebp,esp
804858f: 83 e4 f0 and esp,0xfffffff0
8048592: 83 ec 10 sub esp,0x10
8048595: e8 e6 fd ff ff call 8048380 <getuid@plt>
804859a: 3d 92 10 00 00 cmp eax,0x1092
804859f: 74 2a je 80485cb <main+0x3f>
80485a1: e8 da fd ff ff call 8048380 <getuid@plt>
80485a6: ba c8 86 04 08 mov edx,0x80486c8
80485ab: c7 44 24 08 92 10 00 mov DWORD PTR [esp+0x8],0x1092
80485b2: 00
80485b3: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
80485b7: 89 14 24 mov DWORD PTR [esp],edx
80485ba: e8 a1 fd ff ff call 8048360 <printf@plt>
80485bf: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1
80485c6: e8 d5 fd ff ff call 80483a0 <exit@plt>
80485cb: c7 04 24 ef 86 04 08 mov DWORD PTR [esp],0x80486ef
80485d2: e8 9d fe ff ff call 8048474 <ft_des>
80485d7: ba 09 87 04 08 mov edx,0x8048709
80485dc: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
80485e0: 89 14 24 mov DWORD PTR [esp],edx
80485e3: e8 78 fd ff ff call 8048360 <printf@plt>
80485e8: c9 leave
80485e9: c3 ret
80485ea: 90 nop
80485eb: 90 nop
80485ec: 90 nop
80485ed: 90 nop
80485ee: 90 nop
80485ef: 90 nop
Notamment cette ligne (7) qui vas nous interesser
804859a: cmp eax,0x1092
0x1092 = 0d4242 il suffit de changer la valeur de notre uid lors de la comparaison (a l'aide de gdb)
(gdb) b main
Breakpoint 1 at 0x804858f
(gdb) b *0x804859a
Breakpoint 2 at 0x804859a
(gdb) r
Starting program: /home/user/level13/level13
Breakpoint 1, 0x0804858f in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
Breakpoint 2, 0x0804859a in main ()
(gdb) set $eax=0x1092
(gdb) c
Continuing.
your token is 2A31L79asukciNyi8uppkEuSx
[Inferior 1 (process 2288) exited with code 050]