void doit( void )
{
volatile char *buf;
fptr func;
buf = malloc( 1 );
if( buf == NULL ) {
fprintf( stderr, "Out of memory\n" );
exit( 1 );
}
/* Put a RETN instruction in the buffer */
*buf = '\xc3';
/* Try to make the buffer executable by using mprotect() */
/* Due to a FreeBSD bug PROT_READ is required */
do_mprotect( buf, 1, PROT_READ|PROT_EXEC );
/* Convert the pointer to a function pointer */
func = (fptr)buf;
/* Call the code in the buffer */
func();
do_mprotect( buf, 1, PROT_READ|PROT_WRITE );
/* It worked when the function returns */
itworked();
}
void doit( void )
{
char *shbss;
char *shbss2;
fptr func;
void *handle1, *handle2;
handle1 = dlopen( "shlibtest.so", RTLD_LAZY );
if( handle1 == NULL ) {
fprintf( stderr, "dlopen() returned NULL\n" );
exit( 1 );
}
dlerror(); /* clear any errors */
shbss = dlsym( handle1, "shbss" );
if( dlerror() != NULL ) {
fprintf( stderr, "symbol %s not found in %s\n", "shbss", "shlibtest.so" );
exit( 1 );
}
handle2 = dlopen( "shlibtest2.so", RTLD_LAZY );
if( handle2 == NULL ) {
fprintf( stderr, "dlopen() returned NULL\n" );
exit( 1 );
}
dlerror(); /* clear any errors */
shbss2 = dlsym( handle2, "shbss2" );
if( dlerror() != NULL ) {
fprintf( stderr, "symbol %s not found in %s\n", "shbss2", "shlibtest2.so" );
exit( 1 );
}
copy_shellcode(shbss, SHELLCODE_RETURN);
copy_shellcode(shbss2, SHELLCODE_RETURN);
/* Convert the pointer to a function pointer */
func = shbss < shbss2 ? (fptr)shbss : (fptr)shbss2;
/* Try to make the memory region executable by using mprotect() */
/* Due to an OpenBSD bug PROT_READ is required */
do_mprotect(func, MAX_SHELLCODE_LEN, PROT_READ|PROT_EXEC );
/* Call the code in the buffer */
func();
do_mprotect(func, MAX_SHELLCODE_LEN, PROT_READ|PROT_WRITE );
/* It worked when the function returns */
itworked();
dlclose( handle1 );
dlclose( handle2 );
}
void doit( void )
{
fptr func;
copy_shellcode(buf, SHELLCODE_RETURN);
/* Convert the pointer to a function pointer */
func = (fptr)&buf;
/* Call the code in the buffer */
func();
/* It worked when the function returns */
itworked();
}
void doit( void )
{
fptr func;
char *shdata, *shdata2;
void *handle1, *handle2;
handle1 = dlopen( "shlibtest.so", RTLD_LAZY );
if( handle1 == NULL ) {
fprintf( stderr, "dlopen() returned NULL\n" );
exit( 1 );
}
dlerror(); /* clear any errors */
shdata = dlsym( handle1, "shdata" );
if( dlerror() != NULL ) {
fprintf( stderr, "symbol %s not found in %s\n", "shdata", "shlibtest.so" );
exit( 1 );
}
handle2 = dlopen( "shlibtest2.so", RTLD_LAZY );
if( handle2 == NULL ) {
fprintf( stderr, "dlopen() returned NULL\n" );
exit( 1 );
}
dlerror(); /* clear any errors */
shdata2 = dlsym( handle2, "shdata2" );
if( dlerror() != NULL ) {
fprintf( stderr, "symbol %s not found in %s\n", "shdata2", "shlibtest2.so" );
exit( 1 );
}
copy_shellcode(shdata, SHELLCODE_RETURN);
copy_shellcode(shdata2, SHELLCODE_RETURN);
/* Convert the pointer to a function pointer */
func = shdata < shdata2 ? (fptr)shdata : (fptr)shdata2;
/* Call the code in the buffer */
func();
/* It worked when the function returns */
itworked();
dlclose( handle1 );
dlclose( handle2 );
}
void doit( void )
{
fptr func;
/* Convert the pointer to a function pointer */
func = (fptr)&buf;
/* Try to make the data executable first by using mprotect */
/* Due to an OpenBSD bug PROT_READ is required */
do_mprotect( &buf, 1, PROT_READ|PROT_EXEC );
/* Call the code in the buffer */
func();
do_mprotect( &buf, 1, PROT_READ|PROT_WRITE );
/* It worked when the function returns */
itworked();
}
void mustwork(short errcode)
/* For cases where we can't recover from the error by any means */
{
if (itworked(errcode)) ;
else ExitToShell();
}
