ward/smash-talk
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

rework a bit and add gdb info

Browse source
This commit is contained in:
Ward Wouts 2023-02-14 17:16:51 +01:00
parent 14bed20690
commit e8ae1519cb
1 changed files with 25 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

34
index.html
View file

@ -291,12 +291,11 @@ template: inverse
.right-column[ .right-column[
In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. [1] In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. [1]
Here's a bit of shellcode to open `/bin/sh` on 32-bit x86 (48 bytes) [2]: Here's a bit of shellcode to open `/bin/sh` on 32-bit x86 (37 bytes) [2]:
``` ```
\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01 \x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2
\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30 \x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89
\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1 \xe3\x52\x53\x89\xe1\xcd\x80
\x0c\xce\x81
``` ```
As strings in C are NULL terminated, shellcode should not have `\x00` in it. As strings in C are NULL terminated, shellcode should not have `\x00` in it.
@ -305,7 +304,7 @@ As strings in C are NULL terminated, shellcode should not have `\x00` in it.
Sometimes swapping out some shellcode for some other shellcode is the trick. Sometimes swapping out some shellcode for some other shellcode is the trick.
.footnote[[1] Borrowed from [wikipedia](https://en.wikipedia.org/wiki/Shellcode)<br>[2] Shellcode from [shell-storm](http://shell-storm.org/shellcode/files/shellcode-491.php)] .footnote[[1] Borrowed from [wikipedia](https://en.wikipedia.org/wiki/Shellcode)<br>[2] Shellcode from [shell-storm](http://shell-storm.org/shellcode/files/shellcode-251.php)]
] ]
--- ---
template: inverse template: inverse
@ -380,8 +379,7 @@ template: inverse
.right-column[ .right-column[
Now it's your turn. Now it's your turn.
Use google cloudshell https://console.cloud.google.com/cloudshell/ to run ssh to Log into the provided VM. Binary and shellcode are in `/smash`
log into `XX.XX.XX.XX` (not available now) with ssh using user `hulkX` password `smashX`. Binary and shellcode are in `/smash`
**Alternative** If you want to use your own system, Do this as preparation: **Alternative** If you want to use your own system, Do this as preparation:
- Install radare2: `$ sudo apt-get install -y radare2`<br>**OR**<br> `$ git clone https://github.com/radareorg/radare2.git && cd radare2 && sys/user.sh`<br>for a persistent installation. - Install radare2: `$ sudo apt-get install -y radare2`<br>**OR**<br> `$ git clone https://github.com/radareorg/radare2.git && cd radare2 && sys/user.sh`<br>for a persistent installation.
@ -435,7 +433,7 @@ int main()
.right-column[ .right-column[
Now, if you managed that: Now, if you managed that:
- Try to make it open a shell via shellcode. Especially fun if you make the binary SUID root:<br> `$ sudo chown root.root diy && sudo chmod u+s diy` - Try to make it open a shell via shellcode. Especially fun if you make the binary SUID root:<br> `$ sudo chown root.root diy && sudo chmod u+s diy`
- Can be done both via shellcode in an environment variable (usually more reliable) and via shellcode in the buffer - Can be done both via shellcode in an environment variable (usually more reliable **HINT**) and via shellcode in the buffer
Tip: `gets()` behaves weirdly and will close your shell immediately. The trick is to do something like:<br> Tip: `gets()` behaves weirdly and will close your shell immediately. The trick is to do something like:<br>
`$ (echo -e MYINPUT; cat)|./diy`<br> `$ (echo -e MYINPUT; cat)|./diy`<br>
@ -463,6 +461,24 @@ template: inverse
- `S` step over - `S` step over
- `?v HEX` build in calculator (e.g. `?v 0xdead0000+0xbeef`) - `?v HEX` build in calculator (e.g. `?v 0xdead0000+0xbeef`)
- `?vi HEX` hex to integer (e.g. `?vi 0x400`) - `?vi HEX` hex to integer (e.g. `?vi 0x400`)
]
---
template: inverse
# Quick GDB reference
---
.left-column[
## Quick GDB reference
]
.right-column[
- `gdb --args <program> <arguments>` start gdb with a program with arguments
- `disas <function>` disassemble a function
- `b *<address>` set a breakpoint on an address
- `x/200x $esp` show the memory contents for 200 bytes starting at the address $esp points to
- `r` run
- `r < foo.txt` run with stdin filled from a file
- `c` continue
- `s` step into
- `info functions` list all functions
] ]
</textarea> </textarea>