Shell-Storm.org #WarGame

Yea I signed up for the shell-storm annual hacking thing and Oh My God! am still on level1 and I just thought I blog what am doing which is practically nothing! hahahhahahahaha

am here attempting to break throught the servers and pass level1 at least level 1. the usually way to do these things is by Buffer overflow; take this example for instance which I got from Ivan who is 2nd with 55000 points. the competition is 12 hours and he is done 10 rounds less than 2 hours WTH?
anyway here is the file; and please be mindful these things I blog here are for educational and professional purposes only, I do not expect you to use them for harm. should you do that I disclaim, denounce, disassociate, dishonor, dismount and dis...(etc) all negative events that may rise from it;
ENJOY;

Consider this code:

#include

int main(){
printf("I'm this cool right now: [%d]\n",0);
}

And the compiled binary:
student@csci4971:/tmp$ gcc -o a a.c
./a
student@csci4971:/tmp$ ./a
I'm this cool right now: [0]

Lets fire up gdb and patch that to something better than 0.

(gdb) disas main
Dump of assembler code for function main:
0x080483e4 : lea 0x4(%esp),%ecx
0x080483e8 : and $0xfffffff0,%esp
0x080483eb : pushl -0x4(%ecx)
0x080483ee : push %ebp
0x080483ef : mov %esp,%ebp
0x080483f1 : push %ecx
0x080483f2 : sub $0x14,%esp
0x080483f5 : movl $0x0,0x4(%esp)
0x080483fd : movl $0x80484e0,(%esp)
0x08048404 : call 0x804831c
0x08048409 : add $0x14,%esp
0x0804840c : pop %ecx
0x0804840d : pop %ebp
0x0804840e : lea -0x4(%ecx),%esp
0x08048411 : ret
End of assembler dump.
(gdb)

T
The printf call is here:

0x080483f5 : movl $0x0,0x4(%esp)
0x080483fd : movl $0x80484e0,(%esp)
0x08048404 : call 0x804831c

Two arguments are being pushed.
Argument 1 is:
(gdb) x/s 0x80484e0
0x80484e0: "I'm this cool right now: [%d]\n"

Argument 2 is: 0x0

The instruction that pushes the 0 is 8 bytes long (fd - f5)

0x80483f5 : 0xc7 0x44 0x24 0x04 0x00 0x00 0x00 0x00

The 0 happens to be the last 4 bytes. The exact format of your instruction
can be found in the instruction manuals. Or through trial and error, you'll
start to get a feel for it.

(gdb) break main
Breakpoint 1 at 0x80483f2
(gdb) r
Starting program: /tmp/a

Breakpoint 1, 0x080483f2 in main ()
(gdb) set *0x80483f9 = 0x00000539

Now the program is patched.

(gdb) disas main
Dump of assembler code for function main:
0x080483e4 : lea 0x4(%esp),%ecx
0x080483e8 : and $0xfffffff0,%esp
0x080483eb : pushl -0x4(%ecx)
0x080483ee : push %ebp
0x080483ef : mov %esp,%ebp
0x080483f1 : push %ecx
0x080483f2 : sub $0x14,%esp
0x080483f5 : movl $0x539,0x4(%esp)
0x080483fd : movl $0x80484e0,(%esp)
0x08048404 : call 0x804831c
0x08048409 : add $0x14,%esp
0x0804840c : pop %ecx
0x0804840d : pop %ebp
0x0804840e : lea -0x4(%ecx),%esp
0x08048411 : ret
End of assembler dump.
(gdb)


(gdb) c
Continuing.
I'm this cool right now: [1337]

Program exited with code 040.
(gdb)

well so that is it.
I already told you am on level 1 so don't expect me to do explanations for you. you should find out and lemme know instead of asking then what? (Sorry if you did not ask "Then what?" my bad) lol...

even if I don't get to level 10 (The Final stage) I would have known that I at least was in the competition... (My consolation)......