While we are at level 2, we might as well take a look at the alternate challenge. As usual, we are provided with `level02_alt.c`

and `level02_alt`

.

Here’s what `level02_alt.c`

looks like.

```
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define answer 3.141593
void main(int argc, char **argv) {
float a = (argc - 2)?: strtod(argv[1], 0);
printf("You provided the number %f which is too ", a);
if(a < answer)
puts("low");
else if(a > answer)
puts("high");
else
execl("/bin/sh", "sh", "-p", NULL);
}
```

It seems like we just have to nail the value of answer which is defined above. Wait a minute, isn’t that too easy? Let’s try it out.

```
level2@io:/levels$ ./level02_alt 3.141593
You provided the number 3.141593 which is too low
```

Too low? Hmm. Let’s take a closer look at what we’re dealing with.

Taking a look at the manual entry for `strtod`

.

```
STRTOD(3) Linux Programmer's Manual STRTOD(3)
NAME
strtod, strtof, strtold - convert ASCII string to floating-point num-
ber
SYNOPSIS
#include <stdlib.h>
double strtod(const char *nptr, char **endptr);
float strtof(const char *nptr, char **endptr);
long double strtold(const char *nptr, char **endptr);
Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
strtof(), strtold():
_XOPEN_SOURCE >= 600 || _ISOC99_SOURCE ||
_POSIX_C_SOURCE >= 200112L;
or cc -std=c99
DESCRIPTION
The strtod(), strtof(), and strtold() functions convert the initial
portion of the string pointed to by nptr to double, float, and long
double representation, respectively.
The expected form of the (initial portion of the) string is optional
leading white space as recognized by isspace(3), an optional plus
('+') or minus sign ('-') and then either (i) a decimal number, or
(ii) a hexadecimal number, or (iii) an infinity, or (iv) a NAN (not-a-
number).
A decimal number consists of a nonempty sequence of decimal digits
possibly containing a radix character (decimal point, locale-depen-
dent, usually '.'), optionally followed by a decimal exponent. A dec-
imal exponent consists of an 'E' or 'e', followed by an optional plus
or minus sign, followed by a nonempty sequence of decimal digits, and
indicates multiplication by a power of 10.
A hexadecimal number consists of a "0x" or "0X" followed by a nonempty
sequence of hexadecimal digits possibly containing a radix character,
optionally followed by a binary exponent. A binary exponent consists
of a 'P' or 'p', followed by an optional plus or minus sign, followed
by a nonempty sequence of decimal digits, and indicates multiplication
by a power of 2. At least one of radix character and binary exponent
must be present.
An infinity is either "INF" or "INFINITY", disregarding case.
A NAN is "NAN" (disregarding case) optionally followed by '(', a
sequence of characters, followed by ')'. The character string speci-
fies in an implementation-dependent way the type of NAN.
RETURN VALUE
These functions return the converted value, if any.
```

`strtod`

takes in a string of various forms.

```
The expected form of the (initial portion of the) string is optional
leading white space as recognized by isspace(3), an optional plus
('+') or minus sign ('-') and then either (i) a decimal number, or
(ii) a hexadecimal number, or (iii) an infinity, or (iv) a NAN (not-a-
number).
```

It can also take in a `nan`

. How can we pass in a `nan`

?

```
A NAN is "NAN" (disregarding case) optionally followed by '(', a
sequence of characters, followed by ')'. The character string speci-
fies in an implementation-dependent way the type of NAN.
```

Okay, let’s try it out.

```
level2@io:/levels$ ./level02_alt nan
sh-4.2$ whoami
level3
sh-4.2$
```

Let’s think about it for a bit. To spawn a shell, our variable `a`

should not be less than or greater than `answer`

. If variable `a`

is not a number, it is neither less than or greater than `answer`

. Tricky.

Published on 17 Mar 2013 by *Stanley Tan*

Stanley Tan @stnly |