To make it super simple, I made it in assembly using pwntools:
The binary contains all the gadgets you need! First it executes a read
syscall, writes to the stack, then the ret
occurs and you can gain control.
But what about the /bin/sh
? I slightly cheesed this one and couldn't be bothered to add it to the assembly, so I just did:
As we mentioned before, we need the following layout in the registers:
To get the address of the gadgets, I'll just do objdump -d vuln
. The address of /bin/sh
can be gotten using strings:
The offset from the base to the string is 0x1250
(-t x
tells strings
to print the offset as hex). Armed with all this information, we can set up the constants:
Now we just need to populate the registers. I'll tell you the padding is 8
to save time:
And wehey - we get a shell!