Created
May 1, 2015 17:47
-
-
Save hhc0null/e6941e8d3a13ded8ea87 to your computer and use it in GitHub Desktop.
[VolgaCTF_2015_pwn-bash-125pts]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
bash | |
just another super-puper secure shell | |
nc bash.2015.volgactf.ru 7777 | |
tiny_bash[http://files.2015.volgactf.ru/bash/tiny_bash] | |
*/ | |
char *bss_602140h[] = {"flag", "bash", "python", "netcat", "perl", "args", "pico", "echo", "grep", "find", "sudo", "system", "exec", "regexp", "tail", "head", "less", "more"}; | |
void reap_exited_processes(arg_0) | |
{ | |
// Local variables. | |
rbp_14h; | |
rbp_14h = arg_0; | |
do { | |
rbp_04h = waitpid(-1, NULL, WHONOHANG); | |
} while(rbp_04h == 0 || rbp_04h == -1); | |
} | |
void sock_send(int arg_0, char *arg_8) | |
{ | |
// Local variables. | |
char *rbp_10h; | |
int rbp_04h; | |
rbp_04h = arg_0; | |
rbp_10h = arg_8; | |
sned(rbp_04h, rbp_10h, strlen(rbp_10h), 0); | |
} | |
int check_command(char *arg_0) | |
{ | |
// Local variables. | |
char *rbp_18h; | |
char **rbp_08h; | |
rbp_18h = arg_0; | |
for(rbp_08h = bss_602140h; *rbp_08h; rbp_08h++) { | |
if(strstr(rbp_18h, *rbp_08h)) return 0; | |
// ->> | |
} | |
return 1; | |
} | |
void process_connection(int arg_0) | |
{ | |
// Local variables. | |
int rbp_54h; | |
int rbp_48h; | |
char rbp_40h[0x10]; | |
char rbp_30h[0x10]; | |
rbp_54h = arg_0; | |
memset(rbp_30h, '\0', 0x10); | |
sock_send(rbp_54h, "Welcome to our small secure shell.You are disallowed to execute several types ofcommands.Are you able to bypass these restrictions?\n"); | |
while(true) { | |
sock_send(rbp_54h, ">> "); | |
memset(rbp_40h, '\0', 0x10); | |
rbp_48h = recv(rbp_54h, rbp_40h, 0xf, 0); | |
if(rbp_48h <= 0) { | |
fwrite("Failed to read socket\n", 1, 0x16, stderr); | |
return -1; | |
} | |
rbp_40h[rbp_48h] = '\0'; | |
printf("User request: %s\n", rbp_40h); | |
if(!check_command(rbp_40h)) { | |
sock_send(rbp_54h, "This command is prohibited.\n"); | |
} else { | |
memcpy(rbp_30h, rbp_40h, rbp_48h); | |
if(system(rbp_30h) != -1) continue; | |
sock_send(rbp_54h, "This command is incorrect.\n"); | |
} | |
} | |
} | |
int main(void) | |
{ | |
// ... | |
rbp_ech = fork(); | |
if(rbp_ech == 0) { | |
process_connection(rbp_f0h); | |
close(rbp_f0h); | |
close(rbp_f4h); | |
exit(EXIT_SUCCESS); | |
} | |
// ... | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There're no bugs proceed from coding error.