.
0 0
../
0 0

transact-sql

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#include <stdio.h>
#include <stdbool.h>
#include <sys/mman.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

const char *ok = "";

/*
 * Description:
 * this is a challenge to bypass a certain filter that doesnt allow you to get a 
 * shell on the system while executing your code, the solution at the end is 
 * use the registers from read to reread from the input and bypass the filter 
 * and execute the code
 */

#define SC_SIZE (1024 * 4)

void slow_print(char *msg){
	int i = -1;
	while (msg[++i] != '\0'){
		write(1, &msg[i], 1);
		usleep(50000);
	}
	write(1, "\n", 1);
}

void  __attribute__((constructor)) ignore_me(){
	setvbuf(stdin, 0, _IONBF, 0);
	setvbuf(stdout, 0, _IONBF, 0);
	setvbuf(stderr, 0, _IONBF, 0);
	alarm(128);
}

void fabort(){
	puts("Not happening");
	exit(EXIT_FAILURE);
}

int main(){
	unsigned char	*buffer;
	int	i = -1;

	buffer = mmap((void *)0x0, SC_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
			MAP_PRIVATE|MAP_ANONYMOUS, -1 , 0);

	bzero(buffer, SC_SIZE);
	printf("shellcode >> ");
	buffer[read(0, buffer, SC_SIZE) - 1] = '\0';
	mprotect(buffer, SC_SIZE, PROT_READ | PROT_EXEC);
	bool x = false;
	while (++i != SC_SIZE){
		if (buffer[i] == 0)
			continue;
		if (x == false){
			x = true;
			if (buffer[i] % 3 != 0){
				fabort();
			}
		} else {
			x = false;
			if (buffer[i] % 5 != 0){
				fabort();
			}
		}
	}
	slow_print("executing...");
	register long long r8 __asm__ ("r8") = 0;
	((void (*) (void)) buffer) ();
	slow_print("/bin/sh");

}