--- Log opened Sat Oct 17 14:17:55 2009
14:18 -!- mode/#rpisec [+o adam] by alexrad
14:18 <@adam>  /kick jay_
14:19 <@adam> oops
14:19 < jay_> haha
14:20 -!- mode/#rpisec [+o jay_] by alexrad
14:20 <@alexrad> way to share adam
14:20 <@adam> I don't know the commands
14:21 <@alexrad>  /mode +o 
14:21 <@adam> back in the day, I only learned how to seize power
14:21 <@adam> not distributed it
14:21 <@adam> distribute*
14:24 -!- alexrad changed the topic of #rpisec to: http://rpisec.net/projects/rpisec-general/news
14:25 -!- rgov [Adium@intruded.net] has joined #rpisec
14:25 < rgov> op me up
14:25 -!- mode/#rpisec [+o rgov] by adam
14:25 <@alexrad> adam: now is your chance!
14:25 <@alexrad> :)
14:25 <@rgov> no authentication? psh
14:25 -!- Darkmer [chatzilla@intruded.net] has joined #rpisec
14:25 <@adam> you should probably post the gate1 password in the news article
14:26 < Darkmer> Hello.
14:26 <@adam> hi
14:26 -!- jpope [popej4@intruded.net] has joined #rpisec
14:27 <@rgov> when does the meeting begin?
14:28 <@alexrad> hey guys
14:28 <@alexrad> we're gonna wait a bit
14:28 <@alexrad> sorry for the mishaps
14:28 < jpope> hee hee
14:28 -!- alexrad changed the topic of #rpisec to: http://rpisec.net/projects/rpisec-general/news ; you made it! 
14:29 < jpope> sometime i want to write an assembler
14:29 <@alexrad> for what
14:29 < jpope> fun
14:29 <@rgov> what architecture
14:29 < jpope> x86
14:31 <@alexrad> check out libdasm
14:31 <@alexrad> hexstorm
14:31 <@alexrad> http://github.com/adc/rcos-binstat/
14:32 < jpope> i was thinking that i would go all out and write it directly
14:32 < jpope> using a hex editor and a table of opcodes
14:33 < jpope> if i survived the experience it would be rather worth it
14:35 <@alexrad> well a few of us in here are human assemblers
14:35 <@rgov> N = 1
14:35 <@alexrad> one is andrew zonenberg
14:36 < jpope> wow
14:36 <@alexrad> what would you like me to assemblE?
14:36 < jpope> that's beyond awesome
14:36 <@alexrad> you should memorize these
14:36 <@alexrad> 31 c0 40 40 cd 80 eb fc
14:36 <@alexrad> linux fork bomb 
14:37 <@rgov> alexrad: xor eax, eax; mov eax, (eax)
14:37 <@alexrad> rgov: INVALID SYNTAX
14:37 <@alexrad> pick at&t or intel
14:37 <@rgov> xor eax, eax; mov eax [eax]
14:37 <@alexrad> rgov: INVALID SYNTAX
14:37 <@rgov> xor eax, eax
14:37 <@rgov> mov eax, [eax]
14:37 < jpope> wait how is that a fork bomb?
14:37 <@alexrad> 31 c0 8b 00
14:38 <@alexrad> jpope: 31 c0 = xor eax, eax
14:38 <@rgov> alexrad:  correct
14:39 <@alexrad> jpope: you there?
14:39 < jpope> yep
14:39 <@alexrad> 40 = @ = inc eax
14:39 <@alexrad> fork is system call 2
14:39 <@alexrad> cd 80 => int 0x80
14:39 <@alexrad> one way of triggering a system call
14:39 <@alexrad> system call 2= fork
14:39 < jpope> ah
14:39 <@alexrad> eb fc => jump back 4 bytes
14:39 <@alexrad> so it starts at cd 80 again
14:39 <@alexrad> you know what thats off, it needs to restart at 31 c0
14:40 <@alexrad> because the return of fork will be in eax
14:40 < jpope> oh so you zero eax by xoring it by itself?
14:40 <@alexrad> so it _should_ be eb f8
14:41 <@alexrad> to jump back to that
14:41 <@alexrad> yeah
14:41 <@alexrad> you could also do sub eax, eax
14:42 < jpope> whoa
14:43 < jpope> so there's a system call interrupt?
14:43 <@rgov> that's how system calls work; int 0x80 switches to kernel mode and processes the call
14:43 <@rgov> (* probably an idealistic view that is wrong)
14:44 < jpope> whoa
14:44 < jpope> i'm totally new to stuff beneath the C layer of abstraction
14:44 <@rgov> have you taken comp org or operating systems yet
14:44 < jpope> no, imma freshman
14:45 <@rgov> ok
14:47 < jpope> and i'm a CSE so I don't know whether I'll even get to take those :(
14:47 < jpope> in terms of scheduling and stuff
14:47 <@alexrad> how come nobody is hacking yet?
14:47 <@alexrad> jpope: i'm cs+cse
14:48 <@alexrad> jpope: whats your first name?
14:48 < jpope> alexrad: jeremy
14:48 <@alexrad> Darkmer: you there/
14:48 <@alexrad> why isnt anyone hacking yet?
14:48 -!- Topic for #rpisec: http://rpisec.net/projects/rpisec-general/news ; you made it! 
14:48 -!- Topic set by alexrad [root@intruded.net] [Sat Oct 17 14:28:17 2009]
14:48  * rgov is in class.
14:48 <@alexrad> rgov: you dont count
14:49 <@rgov> i've barely done any binary stuff
14:49 -!- TJ09 [TJ09@intruded.net] has joined #rpisec
14:49 <@jay_> alexrad: what is the pass for gate1
14:50 <@rgov> jay_: /topic
14:50 < jpope> how do i get my linux box to run a sequence of bytes?
14:50 <@rgov> jpope:  make a C file
14:50 <@rgov> in it write
14:51 <@rgov> char main[] = "\x00\x00";
14:51 <@rgov> where \x00\x00 is replaced by the escaped sequence of bytes
14:51 <@rgov> (before every hex pair write \x)
14:51 <@rgov> then compile it with gcc
14:51 <@alexrad> theres a better way
14:51 < jpope> oho
14:51 <@alexrad> hi TJ09 
14:51 < TJ09> Hello.
14:52 <@alexrad> inlineegg is not bad http://oss.coresecurity.com/projects/inlineegg.html
14:52 <@alexrad> int main(){ char code[]=...; void(*func)()=&code; func(); } is another straightforward way
14:52 -!- Topic for #rpisec: http://rpisec.net/projects/rpisec-general/news ; you made it! 
14:52 -!- Topic set by alexrad [root@intruded.net] [Sat Oct 17 14:28:17 2009]
14:53 < jpope> ah
14:53 -!- alexrad changed the topic of #rpisec to: http://rpisec.net/projects/rpisec-general/news ; you made it!  ;; ssh gate1@intruded.net -p 31337 and get to gate2
14:54 -!- alexrad changed the topic of #rpisec to: http://rpisec.net/projects/rpisec-general/news ; you made it!  ;; ssh gate1@intruded.net -p 31337 and get to gate2; your goal is to join #gate3 on irc
14:56 <@rgov> alexrad:  did you give us a password for it
14:56 <@rgov> pwrd is gate1
14:56 <@jay_> No password given, but it is intuitive
14:57 <@rgov> did i ruin it
14:57 <@alexrad> oops i just left that out
14:57 <@alexrad> but you should always guess
14:57 <@alexrad> (if you can get away with it)
15:01 <@alexrad> w
15:04 < jpope> hi, the fork bomb doens't appear to be destroying things
15:04 < jpope> char main[] = "\x31\xc0\x40\x40\xcd\x80\xeb\xfc";
15:04 < jpope> compiled it
15:04 < jpope> ran the output
15:04 <@jay_> jpope: most systems have a proc limit. You have reach it
15:05 < jpope> i crashed things with a C fork bomb earlier though
15:05 <@alexrad> jpope: there was a bug, it should be \xf8
15:05 < jpope> oh
15:05 <@alexrad> or f6, one sec
15:06 <@alexrad> yeah f8
15:06 -!- jpope [popej4@intruded.net] has quit [Read error: Connection reset by peer]
15:06 <@jay_> haha
15:07 <@jay_> guess he fixed it
15:07 -!- jpope [popej4@intruded.net] has joined #rpisec
15:07 < jpope> well, it worked
15:08 < TJ09> I'm not really sure what's going on, but what's supposed to happen at gate2?
15:08 <@jay_> I thought that most systems had a resource limit that prevented a users from making more than x procs? Am I mistaken?
15:09 < jpope> probably, but it got enough that my mouse wouldn't even move
15:09 < TJ09> jay_, probably a configurable one that defaults to unlimited?
15:09 <@jay_> jpope: Yeah, I knew that you were successful when you left the channel :)
15:09 < jpope> heehee
15:10 <@alexrad> TJ09: join the irc chan
15:12 < jpope> am i right in thinking that every cycle the computer checks for interrupts?
15:12 < jpope> actually probably not
15:13 < jpope> nevermind, resolved
15:13 -!- alexrad changed the topic of #rpisec to: http://rpisec.net/projects/rpisec-general/news ; you made it!  ;; ssh gate1@intruded.net -p 31337 and get to gate2; your goal is to join #gate3 on irc ; if something doesnt work let me know
15:13 -!- alexrad changed the topic of #rpisec to: http://rpisec.net/projects/rpisec-general/news ; you made it!  ;; ssh gate1@intruded.net -p 31337 and get to gate2; your goal is to join #gate3 on irc ; if something doesnt work let alexrad know
15:14 <@alexrad> jpope: it definitely gets hairy with what an interrupt means under SMP
15:17 < jpope> SMP?
15:17 < jpope> symmetric multiprocessing?
15:17 < TJ09> Multicore/multiprocessor computers.
15:18 < jpope> ah
15:18 <@alexrad> TJ09: what is your first name
15:18 < TJ09> I go by T.J. everywhere, although technically Theodore.
15:18 <@alexrad> portal recipe
15:18 <@alexrad> you and adam both submitted that
15:18 <@alexrad> im still waiting on the gummy bears
15:19 <@alexrad> or was it fish?
15:19 < jpope> brb, breakfast
15:23 -!- rpisec [liuy14@intruded.net] has joined #rpisec
15:24 -!- rpisec [liuy14@intruded.net] has left #rpisec []
15:24 < TJ09> brb
15:25 <@alexrad> omg it's become sentient
15:30 -!- rpisec [liuy14@intruded.net] has joined #rpisec
15:31 <@alexrad> Darkmer: you there?
15:31 -!- jsc [napum@intruded.net] has joined #rpisec
15:31 <@alexrad> hey jared
15:31 < jsc> yo!
15:31 <@alexrad> hows it going
15:31 <@alexrad> nice arrival time
15:32 < jsc> pretty good
15:32 < jsc> and yeah, sorry about that. I went to Walmart and spaced the time
15:32 <@alexrad> but 1:37 would have been better
15:32 <@alexrad> no, we messed up, check your email
15:32 <@alexrad> anyway the point of being online is that we can persist across time
15:32 <@alexrad> everything is being logged
15:32 < jsc> where are the logs being posted?
15:33 <@alexrad> havent decided yet
15:33 <@alexrad> someoen said something about nsa.gov/ or peterson.af.mil 
15:33 < jsc> oh mein gott
15:33 -!- rpisec [liuy14@intruded.net] has left #rpisec []
15:33 <@alexrad> Sachte!
15:33 <@alexrad> hi rp
15:33 < jsc> I usually have irssi+dtach setup so I don't need logs but my home server went down and it hasn't come back up yet
15:33 < jsc> I'm now stuck with logging in when I'm actually at my laptop
15:33 < jsc> it's terrible
15:34 <@alexrad> no worries
15:34 <@alexrad> guss what? we got ip space
15:34 <@alexrad> we're gonna give you guys shells
15:34 < jsc> booya!
15:34 <@alexrad> sometime this week hopefully
15:34 <@alexrad> at least everyone who participated in fairgame
15:34 <@alexrad> and people participating today
15:34 < jsc> this is awesome! What's the OS?
15:34 <@alexrad> might be freebsd
15:34 <@alexrad> i'd prefer plan9
15:35 <@alexrad> someone should write us an os
15:35 < jsc> I love the idea of plan9 but I've never got it to install on any of my machines
15:35 <@alexrad> i was yolking
15:35 < jsc> hahaha
15:35 < jsc> sadly, I wasn't
15:35 < jpope> i'm back
15:35 < jsc> even vmware didn't have the right "hardware" for it
15:35 < jpope> so how does this whole shell thing work?
15:36 -!- Topic for #rpisec: http://rpisec.net/projects/rpisec-general/news ; you made it!  ;; ssh gate1@intruded.net -p 31337 and get to gate2; your goal is to join #gate3 on irc ; if something doesnt work let alexrad know
15:36 -!- Topic set by alexrad [root@intruded.net] [Sat Oct 17 15:13:39 2009]
15:36 <@alexrad> jpope: we're gonna give people semi restricted shells
15:36 <@alexrad> wont really be useful for downloading things
15:36 <@alexrad> but it should b useful for staying alive on irc and having a minimal dev environment for whatever reason
15:36 < jpope> ah
15:36 <@alexrad> maybe some email on there, dont know yet
15:37 <@alexrad> it's pretty open right now
15:37 <@alexrad> if they have outgoing net access the bandwidth will be monitored probably
15:37 <@alexrad> BTW
15:38 <@alexrad> if you guys need a hand with gate1 talk to me
15:38 < jpope> gate1?
15:38 <@alexrad>  /topic
15:38 < jsc> let me take a shower and I'll have a look
15:38 -!- Topic for #rpisec: http://rpisec.net/projects/rpisec-general/news ; you made it!  ;; ssh gate1@intruded.net -p 31337 and get to gate2; your goal is to join #gate3 on irc ; if something doesnt work let alexrad know
15:38 -!- Topic set by alexrad [root@intruded.net] [Sat Oct 17 15:13:39 2009]
15:42 < Darkmer> I'm still here, reading along.
15:45 <@alexrad> okay cool, whats your background?
15:45 < Darkmer> Freshman, In CS II. I want a career in computer security but don't have much experience with it.
15:46 <@alexrad> none at all?
15:48 < Darkmer> Yeah not really.
15:49 <@alexrad> cool beans
15:49 < Darkmer> I am mostly learning right now, I am getting some experience with C++ which is cool, I only knew java before.
15:49 < Darkmer> Got some experience with command prompts too, I like them
15:50 <@alexrad> ah cool
15:50 <@alexrad> did you manage to log in to the gate1 shell?
15:54 < Darkmer> Hmm, I got into gate.
15:55 < Darkmer> Think I am in gate 1 now.
15:55 <@alexrad> nice
15:55 <@alexrad> type id
15:56 < Darkmer> type /id?
15:58 < jsc> what's everyone's wm of choice?
15:59 <@alexrad> evilwm
15:59 <@alexrad> Darkmer: in the shell
15:59 <@alexrad> i'm gonna start up a screen session for gate1
16:00 < TJ09> Microsoft Bob
16:00 < jsc> that's oldschool
16:01 < Darkmer> Where is the shell?
16:01 < jsc> the thing with the $ prompt
16:02 < Darkmer> Is that a seperate command prmpt?
16:03 < jsc> not unless you started another
16:03 < Darkmer> I am connected with Chatzilla addon for firefox, does that not come with a built in shell prompt?
16:04 < jsc> when you login, you're connected to a shell. It's probably bash or ksh. That's the thing with: username@host:wd$ 
16:05 <@alexrad> Darkmer: running windows? i recommend putty
16:05 < Darkmer> Yeah windows here
16:06 < Darkmer> is putty an irc client?
16:06 <@alexrad> ssh client
16:06 < Darkmer> Let me go check it out.
16:09 < jpope> gah, how do i send non-ascii chars as args to a program?
16:09 < Darkmer> I downloaded it but what should I connect to?
16:11 < jpope> i tried backslah followed by octal codes but that didn't appear to work
16:12 <@alexrad> there are a few ays
16:12 <@alexrad> try echo -ne "\xef\xff"
16:12 <@alexrad> also python -c 'print "\xff"'
16:13 <@alexrad> perl -e 'print "\xff"x100 . "adsf"'
16:13 < jpope> ah!
16:13 <@alexrad> or write a c program, execl(arg,arg,"\x44...."); 
16:13 < jsc> that's so much more convenient than how I was doing it
16:13 < jpope> where to save teh c program?
16:13 < jsc> /tmp
16:13 < jpope> ah
16:16 < jsc> that little endian crap tripped me up
16:16 < jsc> but I got it
16:18 < Darkmer> Whoa, I connected to gate one and it is asking for a password, this is really cool, it si just like a linux prompt
16:18 <@alexrad> type gate1
16:20 < Darkmer> It disconnected, I'll reconnect.
16:20 < jpope> whee, gate1done
16:22 <@alexrad> high5
16:23 < Darkmer> Well I got the puTTY open and I connected to gate1@intruded.net on port 31337 but when I go to type in a command it doesn't show my letters and only acts when I use the enter key.
16:23 < jpope> GATE 2 IS EVIL
16:24 < Darkmer> then I got disconnected for too many access denied >.>!
16:27 < Darkmer> oh fixed it.
16:28 < Darkmer> But I still can't see the text I input and that is really a problem
16:28 < Darkmer> Oh I can see it now, I guess it doesn't let you see passwords
16:29 < jsc> yeah, passwords never echo
16:34 <@alexrad> gate 2 is not evil
16:35 <@alexrad> when i am done with you guys wyou will be able to pop shells on remote architecutres youve never written a c program on
16:35 < jpope> how did YOU learn?
16:35 <@alexrad> wargames
16:35 <@alexrad> intruded.net used to be wargames.unix.se 
16:35 <@alexrad> that is how i learned
16:35 < jpope> i always feel bad learning from others
16:36 <@alexrad> other good sites are :: intruded.net, smashthestack.org, overthewire.org
16:36 <@alexrad> jpope: i totally understnad where you are coming from
16:36 <@alexrad> that is why wargames rock
16:36 < jpope> learn via messing around, as opposed to being told?
16:37 <@alexrad> seriously though, no matter how embarassed you might be, theres always someone more lost than you are
16:37 <@alexrad> jpope: being told is a motivation killer
16:37 < jpope> yeah
16:37 < jpope> how do i whisper?
16:37 <@alexrad> try /whisper?
16:37 < jpope> ah
16:38 <@alexrad> also try /msg alexrad hi
16:38 < jpope> i'm totally new to erssi
16:39 < jpope> irssi*
16:39 < jsc> it's badass, isn't it?
16:39 < Darkmer> afk a little Barton Versus Blitman Ultimate Frisbee game.
16:40 <@alexrad> lol how'd you get blitman to climb up to freshman hill?
16:40 <@alexrad> you should give them some lemonade
16:41 < jsc> heh
16:42 <@alexrad> anyone know how to play back a screen log?
16:42 < jpope> yeep
16:43 < jpope> sorry, that was directed at the "it's badass"
16:44 < jsc> are they anything more than just text?
16:44 <@alexrad> >
16:44 <@alexrad> ?
16:44 < jsc> I've never messed around with them but I thought it was just a dump of the current session
16:44 <@alexrad> im hoping theres a way to play them back
16:45 <@alexrad> i might have needed ttyrec
16:58 -!- rgov [Adium@intruded.net] has left #rpisec []
17:06 < jpope> whoa
17:06 < jpope> ryan worked on adium????
17:07 <@alexrad> he's a developer
17:07 <@alexrad> im goign to go over function prologues/epilogues in just a second
17:07 < jpope> back when i had a mac i loved adium :D
17:09 <@alexrad> http://www.rpi.edu/~radoca/acm_talk%20%20overflows%20&%20fmt%20strings/pres.pdf 
17:10 < jsc> spaces make me sad :(
17:18 <@alexrad> yeah
17:19 <@alexrad> so the set up in hexploitme.c is like this
17:20 < jpope> i love the presentation
17:20 <@alexrad> 0xc000000 .. higehr values of memory addresses on the stack... env vars. [args [arg1][arg0]] [ptrs to args] .... [main stack frame][func stack frame]
17:20 <@alexrad>  | top of stack | .... 0xb0000000
17:20 <@alexrad> func stack frame is at the top of the stack
17:21 <@alexrad> anyone want to use my notation to draw the stack frame for func ?
17:21 <@alexrad> include local variables, the saved frame pointer, and the saved return address
17:29 <@alexrad> correct answer!
17:29 <@alexrad> okay, as someone was thinking,
17:29 <@alexrad> but didnt bother to say
17:29 <@alexrad> func's stack frame includes the following things: local vars (buf), the saved frame pointer, and the saved return address
17:30 <@alexrad> lower on the stack (higher memory address values) <--- [saved ret][saved frame pointer][buf 1bx256]|top of stack ---> lower addresse values (higher on the stack)
17:30 <@alexrad> [saved ret][saved fp][buf ] 
17:31 <@alexrad> and this is how func' sstack frame got built
17:31 <@alexrad> 0x0804851f <main+49>:   call   0x8048474 <func>
17:31 <@alexrad> that instruction effectively pushes the address of the next intruction on the stack (0x08048524 <main+54>:   add    $0x14,%esp
17:31 <@alexrad> )
17:31 <@alexrad> 0x08048524 <main+54>:   add    $0x14,%esp
17:32 <@alexrad> so when func returns, it will return to the address 0x08048524
17:32 <@alexrad> you still have [saved frame pointer][buf] 
17:32 <@alexrad> the start of func looks like:
17:32 <@alexrad> 0x8048474 <func>:       push   %ebp
17:32 <@alexrad> 0x8048475 <func+1>:     mov    %esp,%ebp
17:32 <@alexrad> 0x8048477 <func+3>:     sub    $0x118,%esp
17:33 <@alexrad> by design, %ebp stands for (extended) base pointer. it points to the base of your stack frame
17:33 <@alexrad> at the very very start of func, it still points to main's frame 
17:34 <@alexrad> push %ebp saves this pointer on the stack
17:34 <@alexrad> so now func's frame looks like: [return address][main's saved frame pointer]
17:34 <@alexrad> next you have mov    %esp,%ebp
17:34 <@alexrad> this stores the address of the top of the stack (%esp) in %ebp
17:35 <@alexrad> this is the address of func's base, [saved ret][saved frame pointer]![....
17:35 <@alexrad> ebp points to the saved frame pointer
17:35 <@alexrad> alright now the last part of the prologue, local variable allocation
17:36 <@alexrad> this might help you understand why in standard c you have to declare your variables at the start of the function, and not in the middle
17:36 <@alexrad>  sub    $0x118,%esp
17:36 <@alexrad> that subtracts 0x118 bytes from %esp, growing func's stack frame by 0x118 bytes
17:36 <@alexrad> [saved ret][saved from pointer][buf ..... ] [extra space]
17:37 <@alexrad> the extra space is used by gcc to pass in arguments to other functions without using the push instruction again
17:37 <@alexrad> ignore that for now
17:37 <@alexrad> =====================
17:37 <@alexrad> any questions on the function prologue?
17:38 <@alexrad> alright im going to keep on chugging along
17:38 <@alexrad> we're going to skip the body of func and look at how the function returns
17:38 <@alexrad> the function epilogue
17:39 <@alexrad> 0x080484ec <func+120>:  leave  
17:39 <@alexrad> 0x080484ed <func+121>:  ret 
17:39 <@alexrad> thats it
17:39 <@alexrad> the leave instruction effectively does   esp = ebp; pop ebp
17:39 <@alexrad> and ret is effecitvely pop eip
17:40 <@alexrad> the first part of leave collapses the stack back to where the prologue was before the sub $0x118, %esp
17:40 <@alexrad> it "cleans" up the local arguments, theyre not zeroed out or anything
17:44 <@alexrad> the second part, pop ebp, restores the previous function's frame pointer
17:44 <@alexrad> feel free to pm me with qs btw
17:44 <@alexrad> so ebp goes from holding the address of funcs frame base back to main's
17:45 <@alexrad> the top of the stack after leave will look like this
17:45 <@alexrad> [saved return address]
17:45 <@alexrad> the ret instruction takes that value off the top of the stack and executes the instructions at that address value
17:45 <@alexrad> ==========================
17:46 <@alexrad> so how do you hijack flow control?
17:46 <@alexrad> if you can overwrite the saved frame pointer or the saved return address you control the flow :P
17:46 <@alexrad> saved return address/saved frame pointer are metadata
17:46 <@alexrad> they are inband control data
17:46 <@alexrad> in func() you have a call to strcpy
17:47 <@alexrad> [saved ret][saved frame pointer][buffer byte 255 ... byte 254 ... byte 0]
17:47 <@alexrad> strcpy copies from a lower memory address value to a higher memory address value (remember, the bottom of the stack is at a HIGHER value memory address and the top of the stack is at a LOWER one)
17:48 <@alexrad> so strcpy effectively does:: for(i = 0; src[i]; i++) dest[i] = src[i]; dest[i] = 0;
17:48 <@alexrad> if you put in 256 As this is what happens
17:49 <@alexrad> [saved ret][upper 3 bytes of saved frame pointer XX][AAAAAAAAAAAAAAAAA....]
17:49 <@alexrad> any gusses for what XX is
17:50 <@alexrad> correct! 0x00 , the string end delimeter
17:50 <@alexrad> NUL
17:50 <@alexrad> our friend
17:50 <@alexrad> alright that sums it up
17:51 <@alexrad> on gate4 you'll have to take control using only the frame pointer
17:52 <@alexrad> ================================
17:52 <@alexrad> =================================
17:52 <@alexrad> blah blah blah
17:52 <@alexrad> this will be placed online
17:58 < Darkmer> Hey guys I am back
17:58 <@alexrad> heya
17:58 < Darkmer> I am in gate1 and found some items, three in fact.
17:59 < Darkmer> A sweet txt file that I am denied acess to, and a .c file and some unextensioned file
17:59 < Darkmer> Is ./ the way to open files in the linus shell?
17:59 <@alexrad> run the unextensioned file, exploit it, gain access to the txt file
17:59 <@alexrad> the .c file is the source of the binary
17:59 <@alexrad>  ./ refers to local directory
17:59 <@alexrad> current directory*
17:59 <@alexrad> so ./ls wont work, but if you do cd /bin; ./ls
17:59 <@alexrad> (bash also has a built in ls)
18:00 <@alexrad> so ./gate1
18:00 < Darkmer> What does calling down the /bin do?
18:02 <@alexrad> cd /bin ?
18:03 <@alexrad> changes the direcotry to /bin
18:03 <@alexrad> type cwd
18:03 <@alexrad> to see your current working directory
18:03 <@alexrad> err try pwd
18:03 <@alexrad> to get help on a command, use man
18:03 <@alexrad> man pwd for instance
18:05 < Darkmer> Interesting, I am in the bin directory and using "ls" I see a lot of things, all without extensions. They have to be command don't they?
18:07 < Darkmer> This is pretty cool.
18:08 <@alexrad> right on linux the extension doesnt mean much
18:08 <@alexrad> execution depends on file permissions
18:08 < Darkmer> heh, I "cd" on home and found a lot of stuff, I've never really dug through a computer like this before.
18:08 <@alexrad> keep digging
18:09 <@alexrad> the way the levels are set up you can leveljump
18:09 < Darkmer> What exactly does "./" do, execute a file?
18:09 <@alexrad> nope, ./ is part of the pathname
18:09 <@alexrad> just like /bin/ls
18:09 <@alexrad> ./ls
18:09 <@alexrad> /bin/ is the path
18:09 <@alexrad> ./is the path
18:09 <@alexrad> ls is the file
18:09 <@alexrad> ./gate1
18:09 <@alexrad> ./ is the path
18:10 < Darkmer> oh
18:10 <@alexrad> gate1 is the file
18:10 <@alexrad> ./ says take the current working directory as the start of the path
18:10 <@alexrad> use the pwd command to see what that is
18:10 < Darkmer> When I use cygwin to run .exe files of c++ programs I use ./xxx.exe to run them, does that mean it is following that path and excuting the file with that name?
18:11 <@alexrad> seems so
18:11 <@alexrad> im going to dump the #rpisec log on the site
18:11 <@alexrad> i have to go do other stuff now
18:11 < Darkmer> Cya