You can safely ignore it for the purpose of the analysis. Hint: sub_80491c5(var_36, 0xa) sets a time-out on the process handling the connection. The programmer certainly wrote a simple for(int var_32 = 0 var_32 <= 4 var32++), but since some statements are re-ordered by the compiler, it's a bit harder to see. After printing an informative message, the loop starts. The only argument passed from the previous function is the connection's file descriptor, and is saved into var_36. The port binded by the server is set with the following disassembly: The daemon is thus listening for connections. The first block is setting up a socket, and the next blocks call bind, listen and accept. The error handling is pretty bare bone and is handled by several block calling exit. This looks like an infinite loop, since the last block unconditionally jmp up. Since the control flow is more complex than main, hopper's graph-view comes in handy: Let's jump to the next function, sub_8048f9a. We don't need to understand its inner-working in the details.Īfter renaming the privilege-dropping function, main looks like this: Taking a quick look at the library functions and the strings used in the first function, we can guess it's just dropping privileges. Our main calls two functions, sub_80489f4 and sub_8048f9a. Then jump to its disassembly by pressing enter. In hopper, highlight it and press N to rename it to something more meaningful. The first argument of is the address of main, thus 0x8049180. This means that arguments are pushed on the stack in reverse order. It's a i386 executable, so the arguments are passed using the cdecl convention. I'm using Hopper Disassembler for easy cross-references, renaming, etc, but you can follow along in gdb, IDA, radare or your custom mess of python scripts if you prefer.Īfter loading the executable in hopper, it's correctly identified as 32 bits ELF. The flag we're after should be on the filesystem. If we take a look at the rest of the output, we notice /flags.txt. We can confirm our assumptions by looking at the strings in the executable. It's also certainly dropping its privileges, since it uses setuid, setgid and chroot. We can bet on a network daemon that's self-contained.
0 Comments
Leave a Reply. |