Level 3

A Stack Overflow with a Difference

This level is pretty straight forward. Just sit down and understand what the code is doing. Your shellcode will require a setuid(LEVEL4_UID) since bash drops effective privileges. You could alternatively write a quick setuid(geteuid()) wrapper around bash.

Reading Material

Smashing the Stack for Fun and Profit

Overwriting the .dtors section

Code listing (level3.c)

 1 /*
 2  * 0xbadc0ded.org Challenge #02 (2003-07-08)
 3  *
 4  * Joel Eriksson <je@0xbadc0ded.org>
 5  */
 6 
 7 
 8 #include <string.h>
 9 #include <stdlib.h>
10 #include <stdio.h>
11 
12 unsigned long val = 31337;
13 unsigned long *lp = &val;
14 
15 int main(int argc, char **argv)
16 {
17         unsigned long **lpp = &lp, *tmp;
18         char buf[128];
19 
20         if (argc != 2)
21                 exit(1);
22 
23         strcpy(buf, argv[1]);
24 
25         if (((unsigned long) lpp & 0xffff0000) != 0x08040000)
26                 exit(2);
27 
28         tmp = *lpp;
29         **lpp = (unsigned long) &buf;
30         *lpp = tmp;
31 
32         exit(0);
33 }