/* Gopher+[v2.3.1p0-]: Daemon remote Xploit by wildcoyote@coders-pt.org Coded on: 13/08/y2k Released: Same day heh... Comments: This Stack Buffer Overflow was found/exploited by v9... I saw his exploit at packetstorm and...decided to use this buffer overflow in a better way ;) v9's exploit tryes to had a suid account to /etc/passwd the problem is: (v9's quote) "This exploit requires that the service is running as root (to write to /etc/passwd). Even if the gopher+ daemon displays itself running as another user, as long as it's process is running as root(uid=0) it should exploit successfully." Which means: a) if all goes "smoothly", you need to have a account on the box to be root (or do you know any "recent" distributions which by "default" let you telnet (remotly) to the box and access a suided r00t account with no password? :P b) You will only get something if the daemon runz with uid=0 I propose a different approach to this...how about we spawn a remote shell on the box? No matter what are the user's (which is running the daemon) priviligies, you'll have further access (or even COMPLETE ;) to the remote box :] This exploit as been "tested" on slackware 3.6/7.0... :] Buggy Function: (according to v9 :P) void OutputAuthForm(int sockfd, char *pathname, char *host, int port, CMDprotocol p) { char tmpbuf[512]; ... sprintf(tmpbuf, "