Level 2 Alt, IO STS

While we are at level 2, we might as well take a look at the alternate challenge. As usual, we are provided with level02_alt.c and level02_alt.

Here’s what level02_alt.c looks like.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define answer 3.141593

void main(int argc, char **argv) {

   float a = (argc - 2)?: strtod(argv[1], 0);

   printf("You provided the number %f which is too ", a);

   if(a < answer)
      puts("low");
   else if(a > answer)
      puts("high");
   else
      execl("/bin/sh", "sh", "-p", NULL);
}

It seems like we just have to nail the value of answer which is defined above. Wait a minute, isn’t that too easy? Let’s try it out.

level2@io:/levels$ ./level02_alt 3.141593
You provided the number 3.141593 which is too low

Too low? Hmm. Let’s take a closer look at what we’re dealing with.

Taking a look at the manual entry for strtod.

STRTOD(3)                 Linux Programmer's Manual                 STRTOD(3)

NAME
       strtod,  strtof, strtold - convert ASCII string to floating-point num-
       ber

SYNOPSIS
       #include <stdlib.h>

       double strtod(const char *nptr, char **endptr);
       float strtof(const char *nptr, char **endptr);
       long double strtold(const char *nptr, char **endptr);

   Feature Test Macro Requirements for glibc (see feature_test_macros(7)):

       strtof(), strtold():
           _XOPEN_SOURCE >= 600 || _ISOC99_SOURCE ||
           _POSIX_C_SOURCE >= 200112L;
           or cc -std=c99

DESCRIPTION
       The strtod(), strtof(), and strtold() functions convert the initial
       portion of the string pointed to by nptr to double, float, and long
       double representation, respectively.

       The expected form of the (initial portion of the) string is optional
       leading white space as recognized by isspace(3), an optional plus
       ('+') or minus sign ('-') and then either (i) a decimal number, or
       (ii) a hexadecimal number, or (iii) an infinity, or (iv) a NAN (not-a-
       number).

       A decimal number consists of a nonempty sequence of decimal digits
       possibly containing a radix character (decimal point, locale-depen-
       dent, usually '.'), optionally followed by a decimal exponent.  A dec-
       imal exponent consists of an 'E' or 'e', followed by an optional plus
       or minus sign, followed by a nonempty sequence of decimal digits, and
       indicates multiplication by a power of 10.

       A hexadecimal number consists of a "0x" or "0X" followed by a nonempty
       sequence of hexadecimal digits possibly containing a radix character,
       optionally followed by a binary exponent.  A binary exponent consists
       of a 'P' or 'p', followed by an optional plus or minus sign, followed
       by a nonempty sequence of decimal digits, and indicates multiplication
       by a power of 2.  At least one of radix character and binary exponent
       must be present.

       An infinity is either "INF" or "INFINITY", disregarding case.

       A NAN is "NAN" (disregarding case) optionally followed by '(', a
       sequence of characters, followed by ')'.  The character string speci-
       fies in an implementation-dependent way the type of NAN.

RETURN VALUE
       These functions return the converted value, if any.

strtod takes in a string of various forms.

   The expected form of the (initial portion of the) string is optional
   leading white space as recognized by isspace(3), an optional plus
   ('+') or minus sign ('-') and then either (i) a decimal number, or
   (ii) a hexadecimal number, or (iii) an infinity, or (iv) a NAN (not-a-
   number).

It can also take in a nan. How can we pass in a nan?

   A NAN is "NAN" (disregarding case) optionally followed by '(', a
   sequence of characters, followed by ')'.  The character string speci-
   fies in an implementation-dependent way the type of NAN.

Okay, let’s try it out.

level2@io:/levels$ ./level02_alt nan
sh-4.2$ whoami
level3
sh-4.2$

Let’s think about it for a bit. To spawn a shell, our variable a should not be less than or greater than answer. If variable a is not a number, it is neither less than or greater than answer. Tricky.

Stanley Tan
@stnly