exploit-exercises.com
Follow us on twitter

Nebula level11

About

The /home/flag11/flag11 binary processes standard input and executes a shell command.

There are two ways of completing this level, you may wish to do both :-)

To do this level, log in as the level11 account with the password level11 . Files for this level can be found in /home/flag11.

Source code

  1#include <stdlib.h>
  2#include <unistd.h>
  3#include <string.h>
  4#include <sys/types.h>
  5#include <fcntl.h>
  6#include <stdio.h>
  7#include <sys/mman.h>
  8
  9/*
 10 * Return a random, non predictable file, and return the file descriptor for it.
 11 */
 12
 13int getrand(char **path)
 14{
 15  char *tmp;
 16  int pid;
 17  int fd;
 18
 19  srandom(time(NULL));
 20
 21  tmp = getenv("TEMP");
 22  pid = getpid();
 23  
 24  asprintf(path, "%s/%d.%c%c%c%c%c%c", tmp, pid, 
 25    'A' + (random() % 26), '0' + (random() % 10), 
 26    'a' + (random() % 26), 'A' + (random() % 26),
 27    '0' + (random() % 10), 'a' + (random() % 26));
 28
 29  fd = open(*path, O_CREAT|O_RDWR, 0600);
 30  unlink(*path);
 31  return fd;
 32}
 33
 34void process(char *buffer, int length)
 35{
 36  unsigned int key;
 37  int i;
 38
 39  key = length & 0xff;
 40
 41  for(i = 0; i < length; i++) {
 42    buffer[i] ^= key;
 43    key -= buffer[i];
 44  }
 45
 46  system(buffer);
 47}
 48
 49#define CL "Content-Length: "
 50
 51int main(int argc, char **argv)
 52{
 53  char line[256];
 54  char buf[1024];
 55  char *mem;
 56  int length;
 57  int fd;
 58  char *path;
 59
 60  if(fgets(line, sizeof(line), stdin) == NULL) {
 61    errx(1, "reading from stdin");
 62  }
 63
 64  if(strncmp(line, CL, strlen(CL)) != 0) {
 65    errx(1, "invalid header");
 66  }
 67
 68  length = atoi(line + strlen(CL));
 69  
 70  if(length < sizeof(buf)) {
 71    if(fread(buf, length, 1, stdin) != length) {
 72      err(1, "fread length");
 73    }
 74    process(buf, length);
 75  } else {
 76    int blue = length;
 77    int pink;
 78
 79    fd = getrand(&path);
 80
 81    while(blue > 0) {
 82      printf("blue = %d, length = %d, ", blue, length);
 83
 84      pink = fread(buf, 1, sizeof(buf), stdin);
 85      printf("pink = %d\n", pink);
 86
 87      if(pink <= 0) {
 88        err(1, "fread fail(blue = %d, length = %d)", blue, length);
 89      }
 90      write(fd, buf, pink);
 91
 92      blue -= pink;
 93    }  
 94
 95    mem = mmap(NULL, length, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
 96    if(mem == MAP_FAILED) {
 97      err(1, "mmap");
 98    }
 99    process(mem, length);
100  }
101
102}
103

Discussion