We are given a linux binary. To start off, lets run
checksec on it:
Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000)
It looks like NX is disabled, so if needed, we can place and execute shell code from the stack. To understand how this binary works, I opened it with
Ghidra. There are only two functions,
_exit. Let's look at
_entry first. Although the decompilation is mostly useless, the disassembly is more than enough.
We can see two
int 0x80s that are syscalls. Looking at the value of
eax and by referencing a 32-bit syscall table, we can identify them. The reversed syscalls are shown in comments in the above screenshot. It's also clear that we control
EIP due to the large
read syscall that will overflow into the save return address on the stack.
As we saw earlier, the
NX bit is disabled, so we can jump to our shellcode. To do so, we need to leak a stack address to identify where to jump to. Using pwndbg, it's easy to watch the stack during execution.