Ahmad Mahfouz

Random notes

SMASH THE STACK LEVEL6

Smash The Stack  Level 6

this app take 2 argument

1 – username

2- password

it takes it then say hi

also, it checks ur env language

and change the msg

let’s make some love with gdb

btw without change ur language, it will not overwrite the EIP

now we overwrite the EIP

this is awesome

 

so first  hit my mind what if i put the shell code in env LANG

as we see in the disassemble

 

i did try to export my shell in LANG  but the shell didn’t work

so lets do it our way

the most important in the source

so i will push the shell code in the username

then call it from the password 😀

simple huh

so we have the right address for shellcode

 

 

after doing it from bash direct it gives segmentation fault address’s errors

so i decided to make it another way

 

 

 

done

3 thoughts on “SMASH THE STACK LEVEL6

  • arun
    February 10, 2015 at 6:53 pm

    i tried your solution and it works great but its not working when i change the environmental variable name from n1x to EGG and also my other shellcodes wont work too. in either case i get this message in gdb :
    process is executing new program : /bin/bash

    • n1x
      June 29, 2015 at 9:14 am

      I think it works as u notice it spawn new process u may need to set the right address for the shell code or use some NOP sleds

  • turtlebread
    August 21, 2015 at 7:33 am

    hey, nice post!! and I have a question
    actually, I did some work with Making shellcode tutorial by using nasm & objdump
    but, with my shellcode, fail. and yours are fine
    maybe my shellcode has a problem
    How did you get that shell code??
    Can you explain to me??

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.