Show page

Differences

This shows you the differences between two versions of the page.

--- cns:labs:lab-05 [2020/11/09 15:45]
dennis.plosceanu [Shellcode generation]
+++ cns:labs:lab-05 [2022/11/07 14:44] (current)
mihai.dumitru2201 [Tasks]
@@ Line 303: / Line 303: @@
 <code python>
-  context.binary = './vuln_program'
+context.binary = './vuln_program'
-  shellcode = asm('''
+shellcode = asm('''
        mov rdi, 0
        mov rax, 60
        syscall
 ''')
-  print(shellcraft.sh())
+print(shellcraft.sh())
  </code>
@@ Line 398: / Line 398: @@
 All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]].
 ==== 1. Passing shellcode through the environment  ====
@@ Line 418: / Line 417: @@
 Env var addr 0xfffdd1e7
 </code>
+<note tip>You can also use pwntools to pass the env var:
+<code python>
+from pwn import *
+p = process(['./getenv', 'A'], env={'A': shellcode})
+print(p.recvline())
+</code>
+This way you can do the whole exploit with a python script:
+  - run ''getenv'' to leak the address
+  - parse the output of ''getenv''
+  - build the payload and send to ''vuln''
+</note>
 This is the address at which you will return to.
@@ Line 450: / Line 462: @@
   * In order to get ''/bin/sh'' onto the stack, your shellcode could look something like this: \\ <code asm>
 jmp <offset> ; determine through trial and error
-'/bin/sh'\0
+'/bin/sh\0'
 ; code continues here
 </code> \\ This will effectively jump over the ''/bin/sh'' string on the stack, which you can then use for your shellcode. Without this initial **jmp** instruction, the string will be interpreted as instructions!

Resources

Labs

Lectures

Assignments

Extra

cns/labs/lab-05.1604929555.txt.gz · Last modified: 2020/11/09 15:45 by dennis.plosceanu

Show page Old revisions

Media Manager Back to top