Vortex Level 3

Vortex
Posted September 19th, 2007 by Steven
in
A Stack Overflow with a Difference
This level is pretty straight forward. Just sit down and understand what the code is doing. Your shellcode will require a setuid(LEVEL4_UID) since bash drops effective privileges. You could alternatively write a quick setuid(geteuid()) wrapper around bash.
Reading Material
Smashing the Stack for Fun and Profit
Overwriting the .dtors section

Source code to this level may be found here

level3.c :

/*
 * 0xbadc0ded.org Challenge #02 (2003-07-08)
 *
 * Joel Eriksson <je@0xbadc0ded.org>
 */

#include <string.h>
#include <stdlib.h>
#include <stdio.h>

unsigned long val = 31337;
unsigned long *lp = &val;

int main(int argc, char **argv)
{
        unsigned long **lpp = &lp, *tmp;
        char buf[128];

        if (argc != 2)
                exit(1);

        strcpy(buf, argv[1]);

        if (((unsigned long) lpp & 0xffff0000) != 0x08040000)
                exit(2);

        tmp = *lpp;
        **lpp = (unsigned long) &buf;
        *lpp = tmp;

        exit(0);
}

Shell but no SetUID luck

On June 13th, 2008 shinobi- says:

UPDATE:
okay I got it, thanks to keli on IRC for helping me on that one. you gotta use setreuid & geteuid, I'll leave it up to you to look up the syscalls and write the shell :D I have a feeling this shell will come in handy in several places later on.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Hmmm.. maybe I keep getting dumped out of privileged access, but I'm a bit confused on how to get the setuid into this one. I've successfully got a /bin/sh shell dropping via /vortex/level3 , but I cannot get the damn setuid to stick.

Here's the asm I wrote up for setting to the proper UID, because we know ebx is the first arg, eax is our system call pointer, and we can write ebx where we want the ID to be at (right?)

xorl         %eax,%eax
xorl         %ebx,%ebx
movb         $0x1,%bh
movb         $0xfa,%bl
mov          $0x17,%al
int          $0x80

If I change 0xfa to 0xf9, I get a regular exit from setuid, if I set it to 0xfa it gives me a return call 0377 (did not set UID I'm assuming.)
If I'm giving away too much of the answer let me know, I figure a basic setuid shell was not a hint in any way :)

god bless u guys since i

On August 29th, 2008 hateme says:

god bless u guys
since i dont know much on linux,and dont possess
any grep tech.
i walk through 0x8048500.... magicly find a n adress
that points to got,but why i could only get a shell after
continuing the sigtrap,
when i just run it,it segfault.:(
and any elite explain about the setuid?
howmuch is the LEVEL 4uid.
3ks any way

eeeeee anybody? eeeeeeeeeeeee

On August 31st, 2008 hateme says:

eeeeee
anybody?
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

i will work it out,goddamned

On September 1st, 2008 hateme says:

i will work it out,goddamned its a perfect site.