The remote sever (220.127.116.11) is running a vulnerable program (final1) on port 9999. The remote OS is 32-bit version Ubuntu.
Now, we know the source code of this program is [this]
So, we can first try to hack it locally. Here are some hints:
Step 1: Hack it locally
- Disable ALSR and DEP and StackProtector when you compile the code: gcc final1.c -o final -m32 -fno-stack-protector -zexecstack
Type: cat /proc/sys/kernel/randomize_va_space
0, it means the ASLR have been turned off.
Otherwise, we need to manually turn it off.
To turn off ASLR:
Change to root user: su root, default password is
Then type: echo 0 > /proc/sys/kernel/randomize_va_space
- The goal is to read flag.txt. In order to do that, you can first create a "fake" flag.txt file in your Manjaro VM. To make things easy, put both the vulnerable program (final) and the file "flag.txt" into the same folder
- We cannot find any functions in final1.c which can be direct utilized to read flag.txt -- so write your own version (not in C but in hexdecimal and put it into your shellcode!)
- P.S. in order to spawn a shell, you need to create a new
execve("/bin/bash") function and represented it in hexadecimal. This link might be helpful: Link
- Here is the basic shellcode's structure (based on what we learned from lab1)
- We can do NOP sled to create a more "robust" one:
- Now. Please try to write down the actual shellcode which can eventually generate new shell for you. (like the outcome of lab2)
- Nothing happened?? The reason that it not prompt a shell is because you are running
/bin/bash from the command line, and you are using the
< to feed the shellcode from a file, the shell will immediately terminate when it reaches the end of input. If you want it to remain keyboard interactive, do this: cat shellcode - | ./final
- You can use GDB to help you DEBUG your shellcocde. If your shellcode works, you can immediately type cat flag.txt and check the local file.
Step 2: Hack it remotely
Do the same thing, but this time we do it remotely .
Feel free to create your own Java program to send message to talk to this server, or, if you prefer, you can use this Python scipt [Link]
W() allows you to send "data" to remote sever, just like you type some data and hit enter key inside your VM's terminal
R() allows you to read the response from the remote server
You can try it by typing python2 attack.py in your terminal
Now, tweaking your shellcode and hack the remote server!
You probably need to use "Format String" vulnerability to help you exploit the remote memory address.