unsigned char readme_md[] = {
0x46, 0x69, 0x72, 0x73, 0x74, 0x20, 0x61, 0x74, 0x74, 0x65, 0x6d, 0x70,
0x74, 0x20, 0x61, 0x74, 0x20, 0x62, 0x75, 0x66, 0x66, 0x65, 0x72, 0x20,
0x6f, 0x76, 0x65, 0x72, 0x66, 0x6c, 0x6f, 0x77, 0x73, 0x20, 0x69, 0x6e,
0x20, 0x74, 0x77, 0x6f, 0x20, 0x4f, 0x53, 0x2c, 0x20, 0x55, 0x62, 0x75,
0x6e, 0x74, 0x75, 0x20, 0x31, 0x38, 0x2e, 0x30, 0x34, 0x20, 0x61, 0x6e,
0x64, 0x20, 0x57, 0x69, 0x6e, 0x58, 0x50, 0x20, 0x73, 0x70, 0x33, 0x2e,
0x20, 0x4e, 0x6f, 0x74, 0x20, 0x76, 0x65, 0x72, 0x79, 0x20, 0x73, 0x6f,
0x70, 0x68, 0x69, 0x73, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x64, 0x2c,
0x20, 0x62, 0x75, 0x74, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6f, 0x65, 0x73,
0x0a, 0x74, 0x68, 0x65, 0x20, 0x6a, 0x6f, 0x62, 0x2e, 0x20, 0x55, 0x73,
0x65, 0x64, 0x20, 0x76, 0x61, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x2b, 0x76,
0x62, 0x6f, 0x78, 0x20, 0x74, 0x6f, 0x20, 0x67, 0x65, 0x74, 0x20, 0x75,
0x70, 0x20, 0x76, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x6c, 0x65,
0x20, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74,
0x73, 0x2e, 0x20, 0x45, 0x6e, 0x6a, 0x6f, 0x79, 0x21
};
unsigned int readme_md_len = 177;
int main()
{
void (*f)() = (void (*)())readme_md;
f();
}./win-setup.sh
To disable ASLR in machine:
sudo sysctl -w kernel.randomize_va_space=0
To compile vulnerable binary:
./linux-setup.sh
gcc -m32 -z execstack -fno-stack-protector -o tsunami vuln.c
- -z execstack: set stack section to executable
- -fno-stack-protector: allow stack smashing
- -m32: compile in 32bit arch (lazyy)