Smash The Stack – Level2

Level2

Connect using the same command mention above, but instead of ‘level1’ change it to ‘level2’

ssh -l level2 io.smashthestack.org -p2224

Using your basic Linux skills make your present working directory to /levels. There are two programs in this level. You can use one of them to get a shell.

Program #1

level2@io:/levels$ cat level02.c
void catcher(int a)
{
setresuid(geteuid(),geteuid(),geteuid());
printf("WIN!\n");
system("/bin/sh");
exit(0);
}
int main(int argc, char **argv)
{
puts("source code is available in level02.c\n");
if (argc != 3 || !atoi(argv[2]))
return 1;
signal(SIGFPE, catcher);
return atoi(argv[1]) / atoi(argv[2]);
}

This program is comparatively tough, if you don’t know the concepts of signals. I didn’t know about signals before doing this. The user have to supply two arguments when running the programming. According to the given input. The program will call the function catcher.

level2@io:/levels$ ./level02 argv[1] agrv[2]
if (argc != 3 || !atoi(argv[2]))
return 1;

This part of the code checks whether the user has given 3 arguments or not, it also checks whether the argv[2] can be converted to integer using the function atio – that converts a string into an integer numerical representation.

signal(SIGFPE, catcher);
return atoi(argv[1]) / atoi(argv[2]);

In order to get the shell, we have to call the catcher function. It can be invoked by making a Floating Pointing Exception-signal. You have to find out a perfect way to generate-Floating point exception. Refer these wiki pages: http://en.wikipedia.org/wiki/Limits.h http://en.wikipedia.org/wiki/SIGFPE. (If you don’t find please let me know? :))

If you get a new shell, don’t forget to save the password for the next level in your local machine.

There is an alternative question in the 2nd round.

Program #2

#define answer 3.141593
void main(int argc, char **argv)
{
float a = (argc - 2)?: strtod(argv[1], 0);
printf("\nYou provided the number %f which is too ", a);
if(a > answer)
puts("high");
else if(a < answer)
puts("low");
else
execl("/bin/sh", "sh", "-p", NULL);
}

In this program answer is defined with a decimal value. The default decimal value is taken as float in C.

#define answer 3.141593

Strtod – converts string to double. The returned value stored in ‘a’ which is a floating point variable

float a = (argc - 2)?: strtod(argv[1], 0);

According the given argument, the program will display whether is high or low

printf("\nYou provided the number %f which is too ", a);
if(a > answer)
puts("high");
else if(a < answer)
puts("low");
else
execl("/bin/sh", "sh", "-p", NULL);

But we are not trying to get high or low. Our need is to get a shell for the 3rd level password. For that the program should go to the else loop without fail. This is a hint for you: refer man page for ‘strtod’

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s