minor improvements

index.html

@@ -124,22 +124,30 @@ name: inverse
 layout: true
 class: center, middle, inverse
 ---
-# Old skool stack smashing
+# ♫ Stack smashing like it's 1999 ♫
 Ward Wouts<br>
 https://wizeazz.nl/smash/
 ---
 # Agenda
 
-1. Introduction
-1. What is a stack?
-1. How does this work?
-1. Vulnerable fuctions
-1. Now what can we do with this?
-1. Shellcode?
-1. Endianness?
-1. Demo
-1. DIY
-1. Quick Radare2 reference
+[//]: # (This is a markdown comment.)
+[//]: # (A proper markdown comment needs the empty line above it.)
+[//]: # (Two spaces at the end of a line are a linebreak in markdown.)
+
+Introduction  
+What is a stack?  
+How does this work?  
+Vulnerable fuctions  
+Now what can we do with this?  
+Shellcode?  
+Endianness?  
+Exploitation workflow  
+Demo  
+Protections  
+DIY  
+Quick Radare2 reference  
+Quick GDB reference  
+Shellcode explained  
 ---
 # Introduction
 ---
@@ -513,10 +521,8 @@ template: inverse
 .right-column[
 Shellcode from: http://shell-storm.org/shellcode/files/shellcode-251.html
 ```
-/*
- * (Linux/x86) setuid(0) + setgid(0) + execve("/bin/sh", ["/bin/sh", NULL]) 
- * - 37 bytes - xgc@gotfault.net
- */
+/* (Linux/x86) setuid(0) + setgid(0) + execve("/bin/sh", ["/bin/sh", NULL]) 
+ * - 37 bytes - xgc@gotfault.net */
 
   "\x6a\x17"              // push $0x17
   "\x58"                  // pop  %eax
@@ -590,7 +596,7 @@ mov  %esp, %ebx     Point EBX at command string
 push %edx           Push NULL to stack (no more arguments)
 push %ebx           Push pointer to command str
 mov  %esp, %ecx     Point ECX at arg list
-int  $0x80A         Execute command in EAX
+int  $0x80          Execute command in EAX
 ```
 Another `int 0x80` here for syscall 0xb = 11 = execve. 0x68732f2f in ASCII chars = `hs//`, but little endian, so read `//sh`. Same for 0x6e69622f, which gets `/bin`. Together this makes for `/bin//sh`. That double `/` is here to fill that 32-bit word. The EDX that is set to 0 and pushed makes up for the null string terminator.