esrever
10-21-2010, 10:24 AM
Hi all,
I'm trying a basic buffer overflow game at smashthestack. After login, I've found one file inside it which is login2.
level1@blackbox:~$ ls -las
total 1184
4 drwxr-x--- 2 level1 level1 4096 Jul 9 2009 .
4 drwxr-xr-x 16 root root 4096 Dec 20 2009 ..
0 lrwxrwxrwx 1 root root 9 Jun 17 2009 .bash_history -> /dev/null
4 -rw-r--r-- 1 level1 level1 567 Dec 29 2007 .bash_profile
4 -rw-r--r-- 1 level1 level1 1834 Jan 28 2008 .bashrc
1168 -rws--xr-x 1 level2 level2 1189337 Jan 12 2008 login2
I've quickly check the file and found out that it is LSB executable file.
level1@blackbox:~$ file login2
login2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, statically linked, for GNU/Linux 2.4.1, not stripped
So, I try to run the file and get this output
level1@blackbox:~$ ./login2
Username: admin
Password: password
Invalid username or password
Looks like I need to find the correct username & password right?
I tried to view the file but failed.
level1@blackbox:~$ more login2
******** login2: Not a text file ********
So, I decided to run it in GDB to see the content
level1@blackbox:~$ gdb ./login2
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".
I'm not very familiar with GDB problem. So, I've been checking the GDB tutorial and tried disassemble command to see assembly code in this program.
http://www.unknownroad.com/rtfm/gdbtut/gdbadvanced.html#DISASS
(gdb) disassemble main
Dump of assembler code for function main:
0x0804827a <main+0>: lea 0x4(%esp),%ecx
0x0804827e <main+4>: and $0xfffffff0,%esp
0x08048281 <main+7>: pushl 0xfffffffc(%ecx)
0x08048284 <main+10>: push %ebp
0x08048285 <main+11>: mov %esp,%ebp
0x08048287 <main+13>: push %ebx
0x08048288 <main+14>: push %ecx
0x08048289 <main+15>: sub $0x30,%esp
0x0804828c <main+18>: lea 0xfffffff4(%ebp),%eax
0x0804828f <main+21>: mov %eax,(%esp)
0x08048292 <main+24>: call 0x8072ec0 <_ZNSsC1Ev>
0x08048297 <main+29>: lea 0xfffffff0(%ebp),%eax
0x0804829a <main+32>: mov %eax,(%esp)
0x0804829d <main+35>: call 0x8072ec0 <_ZNSsC1Ev>
0x080482a2 <main+40>: movl $0x80ffe48,0x4(%esp)
0x080482aa <main+48>: movl $0x8130f60,(%esp)
0x080482b1 <main+55>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES 5_PKc>
0x080482b6 <main+60>: lea 0xfffffff4(%ebp),%eax
0x080482b9 <main+63>: mov %eax,0x4(%esp)
0x080482bd <main+67>: movl $0x8130ec0,(%esp)
0x080482c4 <main+74>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_i streamIT_T0_ES7_RSbIS4_S5_T1_E>
0x080482c9 <main+79>: movl $0x80ffe53,0x4(%esp)
0x080482d1 <main+87>: movl $0x8130f60,(%esp)
0x080482d8 <main+94>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES 5_PKc>
0x080482dd <main+99>: lea 0xfffffff0(%ebp),%eax
0x080482e0 <main+102>: mov %eax,0x4(%esp)
0x080482e4 <main+106>: movl $0x8130ec0,(%esp)
0x080482eb <main+113>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_i streamIT_T0_ES7_RSbIS4_S5_T1_E>
0x080482f0 <main+118>: movl $0x80ffe5e,0x4(%esp)
0x080482f8 <main+126>: lea 0xfffffff4(%ebp),%eax
0x080482fb <main+129>: mov %eax,(%esp)
0x080482fe <main+132>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPKS 3_>
0x08048303 <main+137>: xor $0x1,%al
0x08048305 <main+139>: test %al,%al
0x08048307 <main+141>: jne 0x8048328 <main+174>
0x08048309 <main+143>: movl $0x80ffe65,0x4(%esp)
0x08048311 <main+151>: lea 0xfffffff0(%ebp),%eax
0x08048314 <main+154>: mov %eax,(%esp)
0x08048317 <main+157>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPKS 3_>
0x0804831c <main+162>: xor $0x1,%al
0x0804831e <main+164>: test %al,%al
0x08048320 <main+166>: jne 0x8048328 <main+174>
0x08048322 <main+168>: movb $0x1,0xffffffe7(%ebp)
0x08048326 <main+172>: jmp 0x804832c <main+178>
---Type <return> to continue, or q <return> to quit---
0x08048328 <main+174>: movb $0x0,0xffffffe7(%ebp)
0x0804832c <main+178>: movzbl 0xffffffe7(%ebp),%eax
0x08048330 <main+182>: test %al,%al
0x08048332 <main+184>: je 0x8048366 <main+236>
0x08048334 <main+186>: movl $0x80ffe6e,0x4(%esp)
0x0804833c <main+194>: movl $0x8130f60,(%esp)
0x08048343 <main+201>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES 5_PKc>
0x08048348 <main+206>: movl $0x806e0c0,0x4(%esp)
0x08048350 <main+214>: mov %eax,(%esp)
0x08048353 <main+217>: call 0x806bf10 <_ZNSolsEPFRSoS_E>
0x08048358 <main+222>: movl $0x80ffe80,(%esp)
0x0804835f <main+229>: call 0x80b5ab0 <system>
0x08048364 <main+234>: jmp 0x804838a <main+272>
0x08048366 <main+236>: movl $0x80ffe88,0x4(%esp)
0x0804836e <main+244>: movl $0x8130f60,(%esp)
0x08048375 <main+251>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES 5_PKc>
0x0804837a <main+256>: movl $0x806e0c0,0x4(%esp)
0x08048382 <main+264>: mov %eax,(%esp)
0x08048385 <main+267>: call 0x806bf10 <_ZNSolsEPFRSoS_E>
0x0804838a <main+272>: lea 0xfffffff0(%ebp),%eax
0x0804838d <main+275>: mov %eax,(%esp)
0x08048390 <main+278>: call 0x8074e40 <_ZNSsD1Ev>
0x08048395 <main+283>: jmp 0x80483ad <main+307>
0x08048397 <main+285>: mov %eax,0xffffffdc(%ebp)
0x0804839a <main+288>: mov 0xffffffdc(%ebp),%ebx
0x0804839d <main+291>: lea 0xfffffff0(%ebp),%eax
0x080483a0 <main+294>: mov %eax,(%esp)
0x080483a3 <main+297>: call 0x8074e40 <_ZNSsD1Ev>
0x080483a8 <main+302>: mov %ebx,0xffffffdc(%ebp)
0x080483ab <main+305>: jmp 0x80483c5 <main+331>
0x080483ad <main+307>: lea 0xfffffff4(%ebp),%eax
0x080483b0 <main+310>: mov %eax,(%esp)
0x080483b3 <main+313>: call 0x8074e40 <_ZNSsD1Ev>
0x080483b8 <main+318>: mov $0x0,%eax
0x080483bd <main+323>: mov %eax,0xffffffe0(%ebp)
0x080483c0 <main+326>: jmp 0x80483e1 <main+359>
0x080483c2 <main+328>: mov %eax,0xffffffdc(%ebp)
0x080483c5 <main+331>: mov 0xffffffdc(%ebp),%ebx
0x080483c8 <main+334>: lea 0xfffffff4(%ebp),%eax
0x080483cb <main+337>: mov %eax,(%esp)
0x080483ce <main+340>: call 0x8074e40 <_ZNSsD1Ev>
0x080483d3 <main+345>: mov %ebx,0xffffffdc(%ebp)
0x080483d6 <main+348>: mov 0xffffffdc(%ebp),%eax
0x080483d9 <main+351>: mov %eax,(%esp)
0x080483dc <main+354>: call 0x80a5180 <_Unwind_Resume>
---Type <return> to continue, or q <return> to quit---
0x080483e1 <main+359>: mov 0xffffffe0(%ebp),%eax
0x080483e4 <main+362>: add $0x30,%esp
0x080483e7 <main+365>: pop %ecx
0x080483e8 <main+366>: pop %ebx
0x080483e9 <main+367>: pop %ebp
0x080483ea <main+368>: lea 0xfffffffc(%ecx),%esp
0x080483ed <main+371>: ret
End of assembler dump.
(gdb)
I've been looking at the assembly code and not sure which one should I look at. I'm stuck at here. Any help would be highly appreciated. Thanks
I'm trying a basic buffer overflow game at smashthestack. After login, I've found one file inside it which is login2.
level1@blackbox:~$ ls -las
total 1184
4 drwxr-x--- 2 level1 level1 4096 Jul 9 2009 .
4 drwxr-xr-x 16 root root 4096 Dec 20 2009 ..
0 lrwxrwxrwx 1 root root 9 Jun 17 2009 .bash_history -> /dev/null
4 -rw-r--r-- 1 level1 level1 567 Dec 29 2007 .bash_profile
4 -rw-r--r-- 1 level1 level1 1834 Jan 28 2008 .bashrc
1168 -rws--xr-x 1 level2 level2 1189337 Jan 12 2008 login2
I've quickly check the file and found out that it is LSB executable file.
level1@blackbox:~$ file login2
login2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, statically linked, for GNU/Linux 2.4.1, not stripped
So, I try to run the file and get this output
level1@blackbox:~$ ./login2
Username: admin
Password: password
Invalid username or password
Looks like I need to find the correct username & password right?
I tried to view the file but failed.
level1@blackbox:~$ more login2
******** login2: Not a text file ********
So, I decided to run it in GDB to see the content
level1@blackbox:~$ gdb ./login2
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".
I'm not very familiar with GDB problem. So, I've been checking the GDB tutorial and tried disassemble command to see assembly code in this program.
http://www.unknownroad.com/rtfm/gdbtut/gdbadvanced.html#DISASS
(gdb) disassemble main
Dump of assembler code for function main:
0x0804827a <main+0>: lea 0x4(%esp),%ecx
0x0804827e <main+4>: and $0xfffffff0,%esp
0x08048281 <main+7>: pushl 0xfffffffc(%ecx)
0x08048284 <main+10>: push %ebp
0x08048285 <main+11>: mov %esp,%ebp
0x08048287 <main+13>: push %ebx
0x08048288 <main+14>: push %ecx
0x08048289 <main+15>: sub $0x30,%esp
0x0804828c <main+18>: lea 0xfffffff4(%ebp),%eax
0x0804828f <main+21>: mov %eax,(%esp)
0x08048292 <main+24>: call 0x8072ec0 <_ZNSsC1Ev>
0x08048297 <main+29>: lea 0xfffffff0(%ebp),%eax
0x0804829a <main+32>: mov %eax,(%esp)
0x0804829d <main+35>: call 0x8072ec0 <_ZNSsC1Ev>
0x080482a2 <main+40>: movl $0x80ffe48,0x4(%esp)
0x080482aa <main+48>: movl $0x8130f60,(%esp)
0x080482b1 <main+55>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES 5_PKc>
0x080482b6 <main+60>: lea 0xfffffff4(%ebp),%eax
0x080482b9 <main+63>: mov %eax,0x4(%esp)
0x080482bd <main+67>: movl $0x8130ec0,(%esp)
0x080482c4 <main+74>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_i streamIT_T0_ES7_RSbIS4_S5_T1_E>
0x080482c9 <main+79>: movl $0x80ffe53,0x4(%esp)
0x080482d1 <main+87>: movl $0x8130f60,(%esp)
0x080482d8 <main+94>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES 5_PKc>
0x080482dd <main+99>: lea 0xfffffff0(%ebp),%eax
0x080482e0 <main+102>: mov %eax,0x4(%esp)
0x080482e4 <main+106>: movl $0x8130ec0,(%esp)
0x080482eb <main+113>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_i streamIT_T0_ES7_RSbIS4_S5_T1_E>
0x080482f0 <main+118>: movl $0x80ffe5e,0x4(%esp)
0x080482f8 <main+126>: lea 0xfffffff4(%ebp),%eax
0x080482fb <main+129>: mov %eax,(%esp)
0x080482fe <main+132>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPKS 3_>
0x08048303 <main+137>: xor $0x1,%al
0x08048305 <main+139>: test %al,%al
0x08048307 <main+141>: jne 0x8048328 <main+174>
0x08048309 <main+143>: movl $0x80ffe65,0x4(%esp)
0x08048311 <main+151>: lea 0xfffffff0(%ebp),%eax
0x08048314 <main+154>: mov %eax,(%esp)
0x08048317 <main+157>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPKS 3_>
0x0804831c <main+162>: xor $0x1,%al
0x0804831e <main+164>: test %al,%al
0x08048320 <main+166>: jne 0x8048328 <main+174>
0x08048322 <main+168>: movb $0x1,0xffffffe7(%ebp)
0x08048326 <main+172>: jmp 0x804832c <main+178>
---Type <return> to continue, or q <return> to quit---
0x08048328 <main+174>: movb $0x0,0xffffffe7(%ebp)
0x0804832c <main+178>: movzbl 0xffffffe7(%ebp),%eax
0x08048330 <main+182>: test %al,%al
0x08048332 <main+184>: je 0x8048366 <main+236>
0x08048334 <main+186>: movl $0x80ffe6e,0x4(%esp)
0x0804833c <main+194>: movl $0x8130f60,(%esp)
0x08048343 <main+201>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES 5_PKc>
0x08048348 <main+206>: movl $0x806e0c0,0x4(%esp)
0x08048350 <main+214>: mov %eax,(%esp)
0x08048353 <main+217>: call 0x806bf10 <_ZNSolsEPFRSoS_E>
0x08048358 <main+222>: movl $0x80ffe80,(%esp)
0x0804835f <main+229>: call 0x80b5ab0 <system>
0x08048364 <main+234>: jmp 0x804838a <main+272>
0x08048366 <main+236>: movl $0x80ffe88,0x4(%esp)
0x0804836e <main+244>: movl $0x8130f60,(%esp)
0x08048375 <main+251>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES 5_PKc>
0x0804837a <main+256>: movl $0x806e0c0,0x4(%esp)
0x08048382 <main+264>: mov %eax,(%esp)
0x08048385 <main+267>: call 0x806bf10 <_ZNSolsEPFRSoS_E>
0x0804838a <main+272>: lea 0xfffffff0(%ebp),%eax
0x0804838d <main+275>: mov %eax,(%esp)
0x08048390 <main+278>: call 0x8074e40 <_ZNSsD1Ev>
0x08048395 <main+283>: jmp 0x80483ad <main+307>
0x08048397 <main+285>: mov %eax,0xffffffdc(%ebp)
0x0804839a <main+288>: mov 0xffffffdc(%ebp),%ebx
0x0804839d <main+291>: lea 0xfffffff0(%ebp),%eax
0x080483a0 <main+294>: mov %eax,(%esp)
0x080483a3 <main+297>: call 0x8074e40 <_ZNSsD1Ev>
0x080483a8 <main+302>: mov %ebx,0xffffffdc(%ebp)
0x080483ab <main+305>: jmp 0x80483c5 <main+331>
0x080483ad <main+307>: lea 0xfffffff4(%ebp),%eax
0x080483b0 <main+310>: mov %eax,(%esp)
0x080483b3 <main+313>: call 0x8074e40 <_ZNSsD1Ev>
0x080483b8 <main+318>: mov $0x0,%eax
0x080483bd <main+323>: mov %eax,0xffffffe0(%ebp)
0x080483c0 <main+326>: jmp 0x80483e1 <main+359>
0x080483c2 <main+328>: mov %eax,0xffffffdc(%ebp)
0x080483c5 <main+331>: mov 0xffffffdc(%ebp),%ebx
0x080483c8 <main+334>: lea 0xfffffff4(%ebp),%eax
0x080483cb <main+337>: mov %eax,(%esp)
0x080483ce <main+340>: call 0x8074e40 <_ZNSsD1Ev>
0x080483d3 <main+345>: mov %ebx,0xffffffdc(%ebp)
0x080483d6 <main+348>: mov 0xffffffdc(%ebp),%eax
0x080483d9 <main+351>: mov %eax,(%esp)
0x080483dc <main+354>: call 0x80a5180 <_Unwind_Resume>
---Type <return> to continue, or q <return> to quit---
0x080483e1 <main+359>: mov 0xffffffe0(%ebp),%eax
0x080483e4 <main+362>: add $0x30,%esp
0x080483e7 <main+365>: pop %ecx
0x080483e8 <main+366>: pop %ebx
0x080483e9 <main+367>: pop %ebp
0x080483ea <main+368>: lea 0xfffffffc(%ecx),%esp
0x080483ed <main+371>: ret
End of assembler dump.
(gdb)
I've been looking at the assembly code and not sure which one should I look at. I'm stuck at here. Any help would be highly appreciated. Thanks