# HG changeset patch # User Christian Urban # Date 1444237412 -3600 # Node ID 6d552ef3b43544eecc8116f4fbc2390a98d0e371 # Parent b183036ba67575b0a1a2b685bd61d980161e5022 updated diff -r b183036ba675 -r 6d552ef3b435 handouts/ho03.pdf Binary file handouts/ho03.pdf has changed diff -r b183036ba675 -r 6d552ef3b435 handouts/ho03.tex --- a/handouts/ho03.tex Wed Oct 07 10:14:04 2015 +0100 +++ b/handouts/ho03.tex Wed Oct 07 18:03:32 2015 +0100 @@ -412,6 +412,14 @@ ``higher-education'' in the architecture of the target system. But it is actually relatively simple: First there are many such strings ready-made---just a quick Google query away. +A nice selection of ready-made shell-codes can be found +for example at + +\begin{center} +\url{http://shellblade.net/shellcode.html} +\end{center} + + Second, tools like the debugger can help us again. We can just write the code we want in C, for example this would be the program for starting a shell: @@ -450,7 +458,8 @@ will be send to the target computer. This of course requires that the buffer we are trying to attack can at least contain the shellcode we want to run. But as you can see this is only -47 bytes, which is a very low bar to jump over. More +47 bytes, which is a very low bar to jump over. Actually there +are optimised versions which only need 24 bytes. More formidable is the choice of finding the right address to jump to. The string is typically of the form