gdb-peda$ telescope $sp 20
00:0000| esp 0xffffdef0 --> 0x4 argc
01:0004| 0xffffdef4 --> 0xffffdfd3 ("arg0") argv[]
02:0008| 0xffffdef8 --> 0xffffdfd8 ("arg1")
03:0012| 0xffffdefc --> 0xffffdfdd ("arg2")
04:0016| 0xffffdf00 --> 0xffffdfe2 ("arg3")
05:0020| 0xffffdf04 --> 0x0 end of argv[]
06:0024| 0xffffdf08 --> 0xffffdfe7 ("env0") envp[]
07:0028| 0xffffdf0c --> 0xffffdfec ("env1")
#!/usr/bin/env python2 | |
# | |
# CVE-2014-6271 reverse shell | |
# | |
# Same as all the others, just showing off some pwntools. | |
# | |
# Usage: | |
# python shell.py http://host/cgi-bin/script.sh | |
# python shell.py http://host/cgi-bin/script.sh PORT=12345 | |
# |
Simple shellcoding challenge from a Raytheon SI hiring/meet-greet/CTF event.
Basically, you provide data four bytes at a time. This is stored in an 8-byte allocation. The second 4 bytes of the allocation are a pointer to the next allocation.
The challenge is less difficult than it first appears. Looking at the x86 opcodes, there's no way to do a direct JMP or CALL. However, because of the heap layout, you can just do 'jmp $+offset'.
The remaining difficulty is then doing stuff with 2-byte opcodes. I chose to rewrite the pwntools* pushstr
method to do it with just 2-byte opcodes by INC
ing and SHIFT
ing and PUSH
ing eax
.
Cool, we're actually getting to something with mitigations!
checksec.sh --file 7b80d4d56c282a310297336752c589b7
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH 7b80d4d56c282a310297336752c589b7
The binary accepts data over stdin/stdout, and spits back at you a bunch of printable characters, appended with a number of your choosing.
$ checksec.sh --file 8ff953dd97c4405234a04291dee39e0b
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
No RELRO No canary found NX disabled No PIE No RPATH No RUNPATH 8ff953dd97c4405234a04291dee39e0b
$ file 8ff953dd97c4405234a04291dee39e0b
It's a 32-bit binary with no mitigations.
$ file ./94dd6790cbf7ebfc5b28cc289c480e5e
./94dd6790cbf7ebfc5b28cc289c480e5e: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xce5456409e1bfe207cd58c5b77ce99125d3b8d0f, stripped
$ checksec.sh --file 94dd6790cbf7ebfc5b28cc289c480e5e
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Simple forking server listens on port 6666.
$ checksec.sh --file ./94dd6790cbf7ebfc5b28cc289c480e5e
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO No canary found NX disabled No PIE No RPATH No RUNPATH ./94dd6790cbf7ebfc5b28cc289c480e5e