//writen by bla #include #include int main() { char username[1024]; FILE* f = popen("whoami","r"); fgets(username, sizeof(username), f); printf("Welcome %s", username); return 0; } 푸는법을 생각하다가 $PATH환경변수 변조를 택함/tmp/err0rless에 내가 만든 whoami를 만들면 popem으로 연 whoami가내가 조작한 whoami로 실행될 것이다. level4@io:/levels$ ls /tmp/err0rlesswhoami whoami.clevel4@io:/levels$ cat /tmp/err0rless/whoami.c#include main() { ..
//bla, based on work by beach #include #include void good() { puts("Win."); execl("/bin/sh", "sh", NULL); } void bad() { printf("I'm so sorry, you're at %p and you want to be at %p\n", bad, good); } int main(int argc, char **argv, char **envp) { void (*functionpointer)(void) = bad; char buffer[50]; if(argc != 2 || strlen(argv[1])
//a little fun brought to you by bla #include #include #include #include void catcher(int a) { setresuid(geteuid(),geteuid(),geteuid()); printf("WIN!\n"); system("/bin/sh"); exit(0); } int main(int argc, char **argv) { puts("source code is available in level02.c\n"); if (argc != 3 || !atoi(argv[2])) return 1; signal(SIGFPE, catcher); return abs(atoi(argv[1])) / atoi(argv[2]); } SIGFPE는 int형 오류가 ..