This shows you the differences between two versions of the page.
cns:labs:lab-05 [2020/11/09 15:45] dennis.plosceanu [Shellcode generation] |
cns:labs:lab-05 [2022/11/07 14:44] (current) mihai.dumitru2201 [Tasks] |
||
---|---|---|---|
Line 303: | Line 303: | ||
<code python> | <code python> | ||
- | context.binary = './vuln_program' | + | context.binary = './vuln_program' |
| | ||
- | shellcode = asm(''' | + | shellcode = asm(''' |
mov rdi, 0 | mov rdi, 0 | ||
mov rax, 60 | mov rax, 60 | ||
syscall | syscall | ||
''') | ''') | ||
- | print(shellcraft.sh()) | + | print(shellcraft.sh()) |
</code> | </code> | ||
Line 398: | Line 398: | ||
All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | ||
- | |||
==== 1. Passing shellcode through the environment ==== | ==== 1. Passing shellcode through the environment ==== | ||
Line 418: | Line 417: | ||
Env var addr 0xfffdd1e7 | Env var addr 0xfffdd1e7 | ||
</code> | </code> | ||
+ | |||
+ | <note tip>You can also use pwntools to pass the env var: | ||
+ | <code python> | ||
+ | from pwn import * | ||
+ | p = process(['./getenv', 'A'], env={'A': shellcode}) | ||
+ | print(p.recvline()) | ||
+ | </code> | ||
+ | |||
+ | This way you can do the whole exploit with a python script: | ||
+ | - run ''getenv'' to leak the address | ||
+ | - parse the output of ''getenv'' | ||
+ | - build the payload and send to ''vuln'' | ||
+ | </note> | ||
This is the address at which you will return to. | This is the address at which you will return to. | ||
Line 450: | Line 462: | ||
* In order to get ''/bin/sh'' onto the stack, your shellcode could look something like this: \\ <code asm> | * In order to get ''/bin/sh'' onto the stack, your shellcode could look something like this: \\ <code asm> | ||
jmp <offset> ; determine through trial and error | jmp <offset> ; determine through trial and error | ||
- | '/bin/sh'\0 | + | '/bin/sh\0' |
; code continues here | ; code continues here | ||
</code> \\ This will effectively jump over the ''/bin/sh'' string on the stack, which you can then use for your shellcode. Without this initial **jmp** instruction, the string will be interpreted as instructions! | </code> \\ This will effectively jump over the ''/bin/sh'' string on the stack, which you can then use for your shellcode. Without this initial **jmp** instruction, the string will be interpreted as instructions! |