Think you have skills?
/* Try to exploit this without using any shellcode. Assume a nonexecutable stack. Get a root shell. Jose Ronnick <matrix@phiral.com> */ #define message "Are two bytes enough for you? =) <matrix@phiral.com>\n" void clearmem(char **target) { int i; for(i = 0; target[i] != 0; i++) memset(target[i], 0, strlen(target[i])); } void func(char *src) { char buffer[56]; strcpy(buffer, src); } int main(int argc, char *argv[], char *envp[]) { char buffer[100]; char *data, *loc; long *location; int buf_len; if(argc == 1) exit(0); data = (char *) malloc(20); loc = data + 16; *((long *)loc) = (long)message; location = (long *) loc; if(argc > 2) loc = argv[2]; else loc = 0; if(strlen(argv[1]) > 38) if(((unsigned char) argv[1][33] != 0xff) || ((unsigned char) argv[1][34] != 0xbf)) exit(1); bzero(buffer, 100); buf_len = strlen((char *)*location) + strlen(argv[1]); strncat(buffer, (char *)*location, strlen((char *)*location)); strncat(buffer, argv[1], strlen(argv[1])); buffer[buf_len] = 0; if(loc) { if(strlen(loc) > 15) exit(1); if(strlen(loc) < 14) { if(loc[14] == 0) memcpy(data, loc, 17); else strcpy(data, loc); } } buf_len = strlen((char *)*location) + strlen(argv[1]); printf("%s (%d)\n", buffer, buf_len); clearmem(envp); clearmem(argv); bzero(0xbfffff00, 250); if(buf_len < 56) func(buffer); }
Get the file as source: matrix_challenge.c
If you are able to solve it, e-mail me. matrix@phiral.com