Leviathan6 - leviathan7

From JaxHax
Jump to: navigation, search
leviathan6@melinda:~$ ls -la
total 28
drwxr-xr-x   2 root       root       4096 Nov 14 10:32 .
drwxr-xr-x 167 root       root       4096 Mar 21 06:46 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan7 leviathan6 7484 Nov 14 10:32 leviathan6
 
leviathan6@melinda:~$ ./leviathan6 
usage: ./leviathan6 <4 digit code>
 
leviathan6@melinda:~$ ./leviathan6 1337
Wrong
 
leviathan6@melinda:~$ gdb -q ./leviathan6 
Reading symbols from ./leviathan6...(no debugging symbols found)...done.
(gdb) disassemble main  
Dump of assembler code for function main:
   0x0804850d <+0>:	push   %ebp
   0x0804850e <+1>:	mov    %esp,%ebp
   0x08048510 <+3>:	and    $0xfffffff0,%esp
   0x08048513 <+6>:	sub    $0x20,%esp
   0x08048516 <+9>:	movl   $0x1bd3,0x1c(%esp)
   0x0804851e <+17>:	cmpl   $0x2,0x8(%ebp)
   0x08048522 <+21>:	je     0x8048545 <main+56>
   0x08048524 <+23>:	mov    0xc(%ebp),%eax
   0x08048527 <+26>:	mov    (%eax),%eax
   0x08048529 <+28>:	mov    %eax,0x4(%esp)
   0x0804852d <+32>:	movl   $0x8048620,(%esp)
   0x08048534 <+39>:	call   0x8048390 <printf@plt>
   0x08048539 <+44>:	movl   $0xffffffff,(%esp)
   0x08048540 <+51>:	call   0x80483e0 <exit@plt>
   0x08048545 <+56>:	mov    0xc(%ebp),%eax
   0x08048548 <+59>:	add    $0x4,%eax
   0x0804854b <+62>:	mov    (%eax),%eax
   0x0804854d <+64>:	mov    %eax,(%esp)
   0x08048550 <+67>:	call   0x8048400 <atoi@plt>
   0x08048555 <+72>:	cmp    0x1c(%esp),%eax
   0x08048559 <+76>:	jne    0x8048575 <main+104>
   0x0804855b <+78>:	movl   $0x3ef,(%esp)
   0x08048562 <+85>:	call   0x80483a0 <seteuid@plt>
   0x08048567 <+90>:	movl   $0x804863a,(%esp)
   0x0804856e <+97>:	call   0x80483c0 <system@plt>
   0x08048573 <+102>:	jmp    0x8048581 <main+116>
   0x08048575 <+104>:	movl   $0x8048642,(%esp)
   0x0804857c <+111>:	call   0x80483b0 <puts@plt>
   0x08048581 <+116>:	leave  
   0x08048582 <+117>:	ret    
End of assembler dump.
(gdb) break *0x08048555
Breakpoint 1 at 0x8048555
(gdb) run 1337
Starting program: /home/leviathan6/leviathan6 1337
 
Breakpoint 1, 0x08048555 in main ()
(gdb) disassemble 
Dump of assembler code for function main:
   0x0804850d <+0>:	push   %ebp
   0x0804850e <+1>:	mov    %esp,%ebp
   0x08048510 <+3>:	and    $0xfffffff0,%esp
   0x08048513 <+6>:	sub    $0x20,%esp
   0x08048516 <+9>:	movl   $0x1bd3,0x1c(%esp)
   0x0804851e <+17>:	cmpl   $0x2,0x8(%ebp)
   0x08048522 <+21>:	je     0x8048545 <main+56>
   0x08048524 <+23>:	mov    0xc(%ebp),%eax
   0x08048527 <+26>:	mov    (%eax),%eax
   0x08048529 <+28>:	mov    %eax,0x4(%esp)
   0x0804852d <+32>:	movl   $0x8048620,(%esp)
   0x08048534 <+39>:	call   0x8048390 <printf@plt>
   0x08048539 <+44>:	movl   $0xffffffff,(%esp)
   0x08048540 <+51>:	call   0x80483e0 <exit@plt>
   0x08048545 <+56>:	mov    0xc(%ebp),%eax
   0x08048548 <+59>:	add    $0x4,%eax
   0x0804854b <+62>:	mov    (%eax),%eax
   0x0804854d <+64>:	mov    %eax,(%esp)
   0x08048550 <+67>:	call   0x8048400 <atoi@plt>
=> 0x08048555 <+72>:	cmp    0x1c(%esp),%eax
   0x08048559 <+76>:	jne    0x8048575 <main+104>
   0x0804855b <+78>:	movl   $0x3ef,(%esp)
   0x08048562 <+85>:	call   0x80483a0 <seteuid@plt>
   0x08048567 <+90>:	movl   $0x804863a,(%esp)
   0x0804856e <+97>:	call   0x80483c0 <system@plt>
   0x08048573 <+102>:	jmp    0x8048581 <main+116>
   0x08048575 <+104>:	movl   $0x8048642,(%esp)
   0x0804857c <+111>:	call   0x80483b0 <puts@plt>
   0x08048581 <+116>:	leave  
   0x08048582 <+117>:	ret    
End of assembler dump.
(gdb) x/xw $esp + 0x1c
0xffffd6bc:	0x00001bd3
(gdb) p/s 0x00001bd3
$1 = 7123
(gdb) quit
 
leviathan6@melinda:~$ ./leviathan6 7123
$ cat /etc/leviathan_pass/leviathan7
ahy7MaeBo9
$ exit