Baltic CTF: South America 100

This entry was posted on May 27 2012

root@bt:/tmp# cat /home/rev100/.bash_history
lynx ""
cd /tmp/
touch exploit.c
nano expoit.c
gcc -o doit exploit.c
strip doit
echo "evil-code" > /dev/null
# Download

# Question:
which is equal to XXXXXXXXXXXXXXX?

Lets find this kernel exploint back in the mailing list.

Opening the file in IDA, gives only this string:

Some unique functions in the binary to find the used exploit back via google (look in IDA):

  1. socketpair
  2. send_fd

When surfing to the linux-kernel section of and clicking on a message we can see that the original mailing list was:

The following search string in google, gives interesting results: error: %s\n socketpair send_fd
I found this program lying around on my laptop. It kills my box
(2.6.35) instantly by consuming a lot of memory (allocated by the
kernel, so the process doesn't get killed by the OOM killer). As far
as I can tell, the memory isn't being freed when the program exits
either. Maybe it will eventually get cleaned up the UNIX socket
garbage collector thing, but in that case it doesn't get called
quickly enough to save my machine at least.

Searching for this string in google + the site string, gives:

Solution: 129055087923940

100 points earned.

Post a Comment