search
Github

popping around shell

Shellcode with some limitation

hashtag
Problem

chevron-rightDescriptionhashtag

what if \xff\d9?

nc 157.230.247.65 9696

chevron-righttldr;hashtag

provide a shellcode that bypasses limitation to spawn shell on remote machine

hashtag
Solution

hashtag
Analysis

Given a binary shell.out, the first thing we will do is to check the binary type and its security implementation.

$ file shell.out 
shell.out: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=99ab9f9e7ec19cba2b41d1cc5d40af86f726014f, stripped

$ checksec --file=shell.out  
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable    FILE
Full RELRO      No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   No Symbols        No    0               2     shell.out

basic analysis summary:

  • x64 least-bit ELF binary

  • dynamically linked, so it’ll depend on system library

  • stripped, means function and variable name from the source code is not carried

  • Full RELRO, means that the GOT entry table is not writable

  • No Stack Canary, means no additional checks if the stack is overflown

  • NX enabled, means the stack is not executable

  • No PIE, means base address is hard-coded and not randomized

The primary objective of this challenge is to navigate around limitations rather than pinpointing a vulnerability and taking advantage of it.

decompiled main

By examining the decompiled code in ghidra, we observe that the binary receives input data, saves it into a variable and tries to execute it as a function. If we can supply functional shellcode to the binary, it should spawn a shell for us.

we can potentially use asm(shellcraft.sh()), which ends up with 48 bytes of shellcode thus exceeding our input. It appears that we will need to create our own shellcode, which is likely the intended solution according to the author.

So let’s discuss what our goal is, to spawn a shell we want to call execve('/bin/sh') that is, a syscall that requires the following registers to be equal to a specific value accordingly:

  1. $RAX = 0x3b

  2. $RDI = a pointer to ‘/bin/sh’ string

  3. $RSI = 0x0

  4. $RDX = 0x0

to read more about this you can follow this link:

Thankfully, the author is nice enough to include the string within the binary, we can use ghidra to search for strings and we’ll find the address to it and because PIE is not enabled, we can simply point to it without worrying about address randomization.

Strings in ghidra

hashtag
Exploitation

to save up memory so we’ll use the 32-bit registers to make the syscall shorter. Below is the setup to register in assembly

chevron-rightSolve Scripthashtag

hashtag
Flag

get shell and read flag

flag{shell_is_just_\xff\d9}

Last updated