Today we’re going to learn a lot about operator priority, and why some of mistakes made in this topic can be so devastating. Great example of that will be a challenge from pwnable.kr called mistake.
After connecting to ssh server, we can see two files waiting for us, compiled binary and source code.
Let’s take a look at the code firstly.
Let’s study the code to find out where the mistakes are. We can clearly see the first bug in the if statement.
As the hint suggested, there’s a mistake in operator priority. We know that comparision operator < is given higher priority than assignment operator =. Using parenthis this piece of code will look just like this.
And as we know, that open will return a non-negative integer representing the lowest numbered unused file descriptor, comparision will always fail and return 0. Then 0 is assigned to the fd variable. In addition, from the previous challenges, we know that file descriptor with value 0 is reserved for stdin.
In this line, as fd=0, program will copy the input from stdin to the pw_buf. After that every character from the second input pw_buf2 will be xored with 1, and lastly password will be compared in this line.
So if we find out combination where first character xored with the 1 will result in the second, we will be able to bypass the password check. I picked 1 and 0, as theire respective values in ASCII are 60* and 61.
Now we’re ready to pass these numbers into the program.